• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    Hybrid method of encryption and decryption of electronic documents. A key is generated with a random number generation algorithm (20); the document is encrypted using the key and a symmetric algorithm (31); the document is decrypted and its hash is obtained by comparing it with the first hash; if the product to be encrypted asymmetrically is greater than the public key, it is divided into whole blocks of bytes; the symmetric key or the blocks are encrypted with an asymmetric algorithm (32) and one or more public keys; an application identifier is labeled to be encapsulated; the information to revert the process is labeled and encapsulated in the encrypted document; the application identifier is checked; the encapsulated information is extracted; with the private key pair the symmetric key or its blocks is decrypted; the blocks are united; with the symmetric key the document is decrypted. (Machine-translation by Google Translate, not legally binding)
    公开号:ES2613881A1
    申请号:ES201630804
    申请日:2016-06-13
    公开日:2017-05-26
    发明作者:Alvaro DIAZ BAÑO;Pablo DIAZ BAÑO
    申请人:Alvaro DIAZ BAÑO;Pablo DIAZ BAÑO;
    IPC主号:
    专利说明:

    HYBRID METHOD OF ENCRYPTING AND DEFRYING DOCUMENTS5 ELECTRONICS
    SECTOR OF THE TECHNIQUE
    The present invention belongs to the computer security sector. The present invention relates to a new method that makes hybrid encryption without limit of the number or size of the asymmetric keys used possible, and develops new procedures that are improvements of the current technique making it possible to: associate the processed electronic documents with the computer applications that
    15 process; automatically generate symmetric keys with no size limit; Perform quality control of encryption by obtaining and comparing hash fingerprints; include and encapsulate in the encrypted electronic document all the information
    cryptographic necessary to reverse the encryption process; securely encrypt the encrypted electronic document for online submission; use public keys that 20 are not subject to limited periods of validity, but are associated with private keys stored in cryptographic hardware token of PKI systems.
    BACKGROUND OF THE INVENTION
    There is extensive documentation describing hybrid encryption systems, however all of them suffer from important limitations that this invention finally resolves. The limitations are:
    1.-In asymmetric cryptography the document to be encrypted cannot be greater than
    30 the public key pair to be used, in the case of this invention the document to be asymmetrically encrypted is the symmetric key. If a symmetric key is encrypted by an asymmetric one, the resulting product is of such size that it can no longer be re-encrypted by other asymmetric keys, unless the symmetric key is of such a short length that it cannot be cryptographically safe.
    35 The limitation of the current technique is evident when it is desired to encrypt with several public keys a symmetric key of a size that can be considered cryptographically secure. For example, a 256-bit symmetric key when encrypted with a 2048-bit public key generates a 256-bit encrypted symmetric key (1 byte = 8-bit), that is, 2048 bits. If the public key were 1024 bits and the symmetric one was 128 bits, an encrypted key of 128 bytes would be obtained, that is 1024 bits. For the
    5 Therefore, the resulting encrypted product can no longer be re-encrypted with keys of similar length. There are numerous environments in which the requirement of multiple operators is necessary, for example to control access to highly confidential electronic documents, in which the presence of two or more people is required
    10 authorized. 2.-Another of the limitations presented by the current state of the art is also derived from the size limitation. Although the automatic obtaining of symmetric keys by random number generation algorithms is documented in Patent CN102404120 (A), these algorithms are specifically restricted
    15 to 32 bits, a size cryptographically considered insecure. It is of great interest the possibility of automatically obtaining, through the use of random number generation algorithms, symmetric keys without size limitation, since since it is a hybrid encryption it is not necessary for the user to know the key to symmetric encryption used to Encrypt the document, thus protecting
    20 documents can be made without human intervention. 3.-A new limitation of the current hybrid encryption systems is that they are only capable of encapsulating a single encrypted symmetric key, there is no procedure that allows encapsulating products encrypted by multiple asymmetric keys, or adding other information necessary to reverse this process Encryption
    25 When encapsulating the encryption bytes exclusively, the information must always be the same length, which determines the encryption process itself. 4.-Another of the limitations presented by the current technique is that it only offers two modes of use to access a public key, each of them with significant functional deficiencies:
    30 a) Pretty Good Privacy (PGP). This program allows the generation of a public and private key pair, without the public key having to be associated with an electronic certificate. The problem is that the system is not compatible with current cryptographic hardware token. This presupposes a significant functional lack since only these tokens guarantee that the
    35 private key is inaccessible and iduplicable.
    b) Public Key Infrastructures (PKI). Although this system is compatible with almost all cryptographic hardware tokens, it requires the issuance of the x509v3 electronic certificate, which poses a serious functional problem.
    5 The international legislation on electronic certificates and the technical standards related to them, from RFC 2459 to RFC 5280 among others, determine the obligation to establish a period of validity, in fact the certificate holder usually signs a document committing to cease the use of the private key from the moment the certificate expires. In
    10 an environment in which the private key is necessary to be able to access the information over time, the problem has an extremely serious scope. In both cases, each public key is stored in a single container, which presupposes a limitation in automated processes by having to handle
    15 as many containers as public keys intervene. 5.-A lack of encryption processes is the quality control of encryption, which despite its importance is virtually non-existent. It is essential to ensure the recovery of the document without losing its essence while maintaining its complete integrity with respect to the original. There are numerous factors that can cause
    20 corruption of a document when it is encrypted, from an error in the encoding, to a fortuitous hardware failure. Many of these failures are undetectable at the time of encryption, they emerge when you want to recover the electronic document. 6.-Another lack is the transfer of encrypted electronic documents through the Internet, the technique of encoding them to Base 64 is generally used,
    25 but this codification, although highly reliable, also presents important shortcomings, as recognized by the international recommendation RFC 1521 of the international organization Internet Engineering Task Force (lETF), which in its section
    7.1 .1., Indicates that maximum attention should be given to multibyte characters (MBCS), eg Chinese characters, or Chinese Kanji, which among many other languages do not
    30 can be represented by 8 bits, invariably require 16 bits. And it is left for future revisions to solve this problem. 7.-Another lack of encryption processes is that the application used and the documents processed by it are not closely associated. In high security contexts it is essential to have a control of the computer applications that
    35 can be used to access information.
    An extensive study on existing patents has been carried out. None of them describe the methods claimed in this invention. And some of those analyzed only confirm the limitations of the state of the art.
    5 Specifically:
    The publication "Moderne Verfahren der Kryptographie" ("Modern Cryptography Procedures") Beutelspacher, Schwenk, Wolfenstetter, 3. Edition, 1999, Vieweg Verlag, contains a detailed description of the cryptographic key procedures
    10 public.
    The RSA cryptographic system described in U.S. Patent No. 4,405,829 issued to Rivest et al. Describes an example of a public key cryptographic system methodology.
    15 CN102404120 (A) -Encryption method and encryption system for electronic documents which includes a random number generation module, which are used to symmetrically encrypt an electronic document; The symmetric key is encrypted with a public key obtained from an electronic certificate, the only possible procedure
    20 according to the description made in the patent; edit the electronic document and include the encrypted symmetric key, without any specific order or structure. Claim 1 expressly limits the algorithm of random number generation to the size of 32 bits, that is to say a symmetric 4-byte key, something that is critically considered a low security encryption today. Is
    It was clear that the authors at the time of writing were aware of the problem of the length of keys that symmetric cryptography has, and failed to resolve this limitation.
    . EXPLANATION OF THE INVENTION
    In order to achieve the objectives and avoid the inconveniences mentioned in the previous sections, this invention develops the following procedures:
    1.-The limitation of the size of the symmetric key with respect to the public key, and the limitation of using multiple public keys in a layered encryption, is resolved
    by the procedure of calculating before each encryption process the size of the product to be encrypted asymmetrically and, if it is larger than the asymmetric key, the product to be encrypted is divided into whole blocks of bytes or, even, as necessary, 5 those blocks can be subdivided so that the product to be encrypted is always smaller than the public key to be used, there is no limitation of length or number of keys to be used. To reverse the process, each block is first decrypted in the reverse order of encryption, and using the private key pair associated with the public key that was used to encrypt; Once each 10 group of blocks has been decrypted, they are joined in the reverse order in which they were subdivided or divided until the symmetric key was obtained. All programming languages have the ability to edit, divide and subdivide whole blocks of bytes with a symmetric key, for asymmetric encryption an asymmetric encryption algorithm is used and the same algorithm for decryption, there are numerous free algorithms
    15 use, eg RSA, EIGamal, DSA, etc., extensively documented on the Internet; 2.-Once the size limitation of the symmetric key is resolved, this invention presents the novelty of automatically generating, using a random number generation algorithm, a symmetric key without size limitation; there are multiple algorithms that allow obtaining secure keys, for example from
    20 size equal to more than 128 bits, extensively documented on the Internet p. ex. Blum Blum Shub, Fortuna, or Mersenne twister, in addition to almost all cryptographic hardware tokens integrate a random number generation function that can also be used; 3.-In order to reverse the sophisticated encryption process of this invention, they are used
    25 identification tags that make it possible to structure the information necessary to decipher the electronic document, and that act as data separators; The set of information and labels forms one or more data containers that are encapsulated in the body of the encrypted electronic document. Informative content is associated with identification tags, and can even be included
    30 labels that have no associated informative content, eg start and end of encapsulation. This procedure allows to develop a process logic that not only treats each information independently, but also converts the labels into logical separators, which allow encapsulating the information in any part of the encrypted document and subsequently extracting the exact bytes from the
    35 encapsulated information. This procedure is extremely versatile, it has no limitation as to the format, length, number, or identification code of the labels, the structure considered necessary according to the type of encryption to be performed is implemented in a computer logic, being of this way capable of automating the generation of data containers and their encapsulation; the
    5 information being structured can be consulted and the necessary data used to easily reverse the cryptographic process performed; All programming languages have the ability to edit documents, implement information labeling logic, create data containers and encapsulate them. 4.-This invention defines a new procedure that stores the bytes of a key
    10 public in a structured information container, along with the identifier that you share with your private key pair. For this purpose, a procedure has been developed that, starting from the usual system for preparing an x509v3 certificate, the process is interrupted in a previous step, specifically at the time of creation of the file in PKCS # 10 format, also called self-signed certificate or
    15 request; in that step the private key has already been generated, and is contained in a cryptographic hardware token or in a software keystore in which the private key is associated with an identifier that it shares with the public key; This PKCS # 10 file is edited and its information is loaded into a structured information container, eg an XML, which allows saving at least: [KEY]
    20 bytes of the public key; [1 D] identifier that you share with your private key pair; You can also store other data such as: [TYPE] type of key; [SIZE] key size in Bits. A peculiarity of the cryptographic information of the PKCS # 10 file is that it has not yet undergone a period of validity, therefore, it can be used indefinitely. Almost all programming languages have the
    25 ability to create structured information containers such as an XML, and can use cryptosystems that include this functionality, are free to use and are widely documented on the Internet such as Open SSL or Bouncy Castell; 5.-This method incorporates an encryption quality control, based on the generation and comparison of hash summaries. Using a digestion algorithm that is applied
    30 on the original electronic document, a first hash is obtained that can be labeled and encapsulated in the body of the encrypted document, after each decryption a hash of the decrypted document is obtained, which is compared with the first hash to determine its integrity; There are various free-use hash digest or digest algorithms widely documented on the Internet, e.g. ex. SHA1,
    35 SHA256, among others, 6.-A conversion table containing all the characters has been created
    recognized in a standard way by Base64 encoding, this table also contains characters not recognized in Base64 having included equivalences that are characterized by being 16 bits; This table allows for a secure coding that guarantees the transmission of the encrypted and encapsulated document over the Internet without running the risk of being corrupted; the procedure reads all the characters contained in the encrypted and encapsulated electronic document, if any of the characters is not included in the conversion table, the document will not be encoded thus preventing corruption, and if all the characters are recognized even if any of them dont have
    10 correspondence with the Base64 standard, it is possible to encode it with the 16-bit equivalence implemented in the table. All programming languages can implement this procedure without presupposing any relevant challenge. 7.-A procedure has been developed whereby the computer application used to process the document has an identifier or use key, each
    15 document processed by this application incorporates the encrypted identifier or its hash in a label of the data container that is encapsulated in the encrypted electronic document. This identifier or usage key intimately associates the processed document with a specific licensed application, which in turn can be installed on n computer equipment that makes up an infrastructure associated by
    20 that common element, this identifier can be determined at the will of the administrator who manages the infrastructure, or by the manufacturer that markets it, or be automatically generated from another value shared by all computer equipment, eg name of the organization, IP reason, etc. there is no other limitation than to select an identifier that is univocal, and there is no restriction
    25 to store the identifier, which can be recorded in a memory location of the equipment in which the application is installed, in an electronic file, in the application code itself, etc. There is no other limitation than selecting a specific location. The procedure contemplates the possibility that the encrypted identifier or hash are already processed and stored, so the application does not have to
    30 carry out the transformation on each occasion, with the consequent process savings. In any case, the hash is obtained by applying a digestion algorithm to the identifier, and for the encryption of the identifier, a symmetric or asymmetric encryption algorithm can be used and a key that, as the only limitation, must always be the same. Prior to the decryption process, the computer application determines whether the
    The application identifier is associated with the identifier included in the encrypted document, for this purpose, edit the data container and obtain the label and information
    label and information associated with the identifier; if the identifier is encrypted it mustdecrypt it using the same key if it is symmetric, or associated private keyto the public pair used to encrypt, in case of being asymmetric encryption, using5 always the same algorithm that encrypted them, we proceed to compare the identifierdecrypted with the application identifier; if it's the hash of the identifierapply a digestion algorithm on the application identifier, and comparethe hash obtained with the hash tagged in the document data containerencryption The realization of these comparisons does not presuppose any challenge, and follows the
    10 same cryptographic processes as previously described. 8.-To encrypt the document uses a symmetric key without size limitation and a symmetric algorithm, there are numerous free-use symmetric encryption algorithms, widely documented on the Internet, its use does not presuppose any challenge, eg CAST, IDEA, TripleDES, AES, etc; and cryptosystems that facilitate its use as Open
    15 SSL or Bouncy Castell; to decipher the same symmetric key and the symmetric algorithm used to encrypt is used.
    BRIEF DESCRIPTION OF THE DRAWINGS
    To complement the description that is being made and in order to help a better understanding of the characteristics of the invention, a set of drawings is attached as an integral part of said description, in which the following has been represented:
    25 Figure 1 illustrates a symmetric encryption scheme. Figure 2 illustrates an asymmetric encryption scheme. Figure 3 illustrates a random number generator scheme, according to the invention patent Application Number: P200702299. Figure 4 illustrates a data encapsulation scheme with separators.
    PREFERRED EMBODIMENT OF THE INVENTION
    A first preferred embodiment of the system described herein essentially comprises the following elements:
    a) A computer terminal, which has a storage memory of
    non volatile data (1). A PKI cryptographic token, also known as an electronic signature device HSM (hardware security module (5), has been connected to this terminal, with a USB connector that assembles a cryptographic processor from the
    5 manufacturer ST Microelectronics. In the preferred application example, an HP Pavilion model computer with Intel® Atom ™ 2 Z8300 processor, and with Windows 8 operating system, with 500 Gb SATA hard drive is used. The storage unit (1) contains a PKCS # file 10 (2) with the public key (7) labeled with an identifier (19) that is shared with the private key
    10 (6); an API PKCS # 11 (16) of the manufacturer ST Microelectronics; an electronic document (8); an XML containing the identifier (29) of the user program (4) entered by the user himself; a user program (4); a cryptosystem (3), Bouncy Castle, which offers a wide collection of APIs that contain the main algorithms for symmetric cryptographic processes (31) and
    15 asymmetric (32), and even implements the ability to make calls according to the PKCS # 11 standard (16), read the content of X509 electronic certificates, read PKCS # 10 files (2), and store software according to PKCS # 15 standard that they contain a private key, in addition it has algorithms of random generation of numbers (20) of size equal to or greater than 128 bits. It also has digestion algorithms (25)
    20 to obtain hash. It has a version for Java.
    b) A user program (4). An application has been developed in Java. This software contains a user interface and all the required logic:
    • Interface that allows the user to navigate through the storage unit (1),
    25 And select an electronic document regardless of its status, original (8) or encrypted (12), or encapsulated 15).
    • Browse the storage unit (1) and select a PKCS # 10 file (2).
    • Make calls to the cryptosystem (3) for all cryptographic processes
    30 contemplated in this invention, including calls to the PKCS # 11 library (16) to access the cryptographic token (5)
    • Ability to create, feed and query a conversion table (34) that has at least two fields: character field and equivalence field up to 16 bits. This table (34) is fed with all the characters that are
    35 recognized as standard by Base 64 encoding, if you have added multibyte characters (MBCS), which are not recognized by this Base 64 encoding
    • Ability to edit, read and count the bytes that make up a key
    5 symmetric and an asymmetric key. Including the logic necessary to assess, according to the encryption process required on each occasion, if the bytes that are to be encrypted asymmetrically have a size larger than the public key that you want to use, determining in each case whether or not to divide into blocks the product to be encrypted to obtain a size smaller than the key
    10 public. and ability to reverse the block division operation performed. This is an elementary process, available in any commonly used programming language.
    • Enter a PIN (10) and a symmetric key (9)
    • Ability to compare several hash bytes and determine if they are identical or 15 different.
    • Edit an encrypted electronic document (12) and enter the data container
    (21) that contains the information of the cryptographic processes carried out, and that have been labeled (13) according to the logic defined in this invention: 1.-each informative content has is associated with an identification tag
    20 (13), and 2.-there may be tags (13) that do not have informative content. The following label structure (26) has been developed for this example of practical application:
    [HOME] 25 [H] Hash of the original document
    [O] number of operator pairs[01]: identifier (19) of operator 1 of pair i (i <= O)(01 bytes): bytes of the public key (7) of operator 1[02]: identifier (19) of operator 2 of pair i (i <= O)
    30 (02 bytes): bytes of the public key (7) of operator 2
    [P] (4-byte integer): number of 64-byte parts of encryption done with operator 1
    [T] (4-byte integer): the size of the encryption done with operator 1
    (P * Tbytes): each 64-byte part is encrypted with operator 2 and an encrypted part of size T is written 35
    [A] AES
    [A2) RSA [END) The tags (13) act as information separators, while 5 identify each content, the set of tags and the information they contain make up the data container (21).
    • Edit the document with the logic necessary to extract the data container (21) from the encapsulated encrypted electronic document (15), leaving the encrypted electronic document (12) free of bytes from the data container (21).
    10 • Create a file capable of containing structured information, the XML format (22) has been chosen. Make the corresponding call to the cryptosystem (3) to access the public key information (7) contained in a PKCS # 10 file (2), and obtain: [KEY] bytes of the public key, [ID] identifier that shares with his pair of
    15 private key [TYPE] key type, [SIZE] key size in Bits. This information is stored in the XML container (22)
    • Ability to enter and read a data string containing identifier or usage key (29), which is stored in an XML file.
    • Ability to compare the bytes of two hashes, assessing whether they are identical or not. 20 • Ability to compare two data strings.
    c) An electronic signature device (5). It is an HSM token (harware security module), with a USB connector that assembles a cryptographic processor from ST Microelectronics. This token has a random number generator (20) 25 validated by the NIST, capable of producing numbers of a size equal to or greater than 128 bits, and a secure container of cryptographic keys, which stores the associated private key pair (6) to its public key pair ( ) with an identifier (19) that both keys share. It also integrates symmetric (31) and asymmetric (32) cryptographic algorithms, the necessary logic and the ability to perform encryption processes and
    30 decryption without the private key (6) leaving the security container. This hardware token (5) is interoperable using the PKCS API # 11 (16) supplied by its manufacturer STMicroelectronics.
    d) Two PKCS # 1 files OR (2) that in accordance with that international standard, each file contains its respective public key (7) associated with its private key pair (6) by the identifier they share (19)
    e) An electronic document (8) in pdf format, which contains as the only test text uHola mundo ".
    5 The following procedure is performed:
    Encryption of the electronic document:
    1. Users (17), connect their respective electronic signature devices HSM (5) to the computer terminal, each containing a private key (6)
    10 labeled with an identifier (19) that it shares with its public key pair (7); 2.-Two PKCS # 10 files (2) are available, each one containing a public key (7) labeled with an identifier (19) that it shares with its private key pair (6), it is also possible to use a electronic certificate according to X509 standard;
    3. Using the user program (4), the electronic document (8) is selected
    15 to be encrypted, the symmetric encryption algorithm (31) AES is selected, a symmetric key (9) of 256 bit size is entered, the identifiers are specified
    (19) "test1" and uprueba2 "of the public keys (7) that will be used to asymmetrically encrypt the symmetric key, specify that multilayer encryption is required, and give the order to start the process. The user program (4 ) perform the following
    20 process: a) Read a symmetric key (9) of 256-bit size that has been entered by the user. b) Use the cryptosystem (3), so that using the symmetric key (9) and having selected the symmetric algorithm (31) AES, encrypt the document
    25 electronic (8). The cryptosystem (3) generates the encrypted electronic document
    (12) c) The public keys (7) are read by selecting those whose identifier (19) corresponds to the two selected by the user. The size of each public key (2048 bits) (7) and the size of the key are consulted
    30 symmetric (256 bits) (9), and taking into account that multilayer encryption has been requested, evaluates the need to divide the symmetric key (9) into entire blocks of bytes. Confirming that the symmetric key, once encrypted, will be divided into four 64-bit blocks. d) The symmetric key (9) is encrypted with the first public key (7) indicated by
    35 the user, identifier (19) "test1". e) The encrypted symmetric key (11) is edited and divided into four blocks of 64
    bitsf) The four blocks (14) obtained from the division made of the keySymmetric encrypted (11) are encrypted with the second public key (7) indicated bythe user, identifier (19) "test2".g) The label structure (26) is edited and each label is loaded with theinformation related to the cryptographic process carried out:
    [START)[H) Hash of the original document (23)[H1] Hash (28) of the user program identifier (29) (4)[O): 1 (pair of operators)(01): Test1 (19)(01 bytes): bytes of the public key (7) of operator 1(02): Test2 (19)(02 bytes): bytes of the public key (7) of operator 2
    [P] 4 blocks of 64 bytes of encryption done with operator 1
    (T) 256 bytes the size of the encryption done with operator 1 (P * Tbytes). each 64-byte part is encrypted with operator 2 and an encrypted part of size T (14) [A) AES [A2) RSA is written
    [END) This set of information forms the data container (21) h) The encrypted electronic document (12) is edited, and the data container (21) is encapsulated inside
    Decryption of the encrypted electronic document:
    one. Users (17) connect their respective electronic signature devices HSM (5) to the computer terminal,
    2. The users (17) through the user program (4), enter their PIN (10) for activating the private key (6) and order the cryptosystem (3) to perform the decryption of the encrypted electronic document (12) and quality control Encryption The user program performs the following process:
    a) Edit the encapsulated encrypted electronic document (15), and locate the [START) and [END) tags. b) Having located the [START) and [END) tags, proceed to extract the data container (21), thus obtaining the encrypted electronic document (12).
    c) Edit the data container (21) And obtain the key identifiers
    public (19), the encrypted blocks (14) and the encryption algorithms used.
    5 3. The cryptosystem is ordered to decrypt the encrypted blocks (14) using the signing device (5), to perform this operation in addition to transferring the encrypted blocks (14) it is provided: PIN (10) for activation of the second private key (6), used when encrypting the blocks, and its key identifier "Test2" (19).
    10 4. The decrypted blocks are edited and linked, thus obtaining the encrypted symmetric key (11). The cryptosystem is ordered to decrypt the encrypted symmetric key (11) using the signing device (5), to perform this operation in addition to transferring the encrypted symmetric key (11) it is provided: PIN (10) for activation of the first private key (6), used when encrypting the blocks, and their
    15 key identifier "Test1" (19). The symmetric key is obtained (9)
    5. The cryptosystem (3) is ordered to decrypt the encrypted electronic document (12), to perform this operation it is also provided in addition to the encrypted electronic document (12), the symmetric key (9) and the symmetric encryption algorithm
    20 (31) employee. Obtaining the decrypted electronic document (33)
    According to a second embodiment of the system, in addition to all the elements indicated in the first embodiment, in order to improve access to public keys, proceed to:
    25 1. Complement step 2 of the encryption process, with the following procedure: a) Using the user program (4), an XML file (22) is created with the TAGs: [KEY), [ID), [TYPE ), [SIZE), and orders the Cryptosystem (3) to read the data contained in two PKCS # 10 files (2). The information contained in these two PKCS # 10 (2) files is loaded into the lAGs of the
    30 XML file (22): [KEY) bytes of the public key (7), [ID) "test1" "testT identifier that shares with your private key pair (19) [TYPE]" RSA "type of key [SIZE ] "2048" key size in Bits.
    According to a third embodiment of the system, in addition to all the elements indicated in the first embodiment, in order to guarantee the quality of the encryption, the following is carried out:
    1. Enter a previous step (a) to Step 3 of the encryption process, with the following procedure: a) Ask the cryptosystem (3) to obtain a hash (23) of the document
    5 original electronic (8) applying the digestion algorithm (25) SHA256.
    2. Enter some previous steps (a) (b) and (e) to Step 3 e) of the encryption process, with the following procedure: a) Ask the cryptosystem (3) to use the symmetric key (9) and the
    10 symmetric algorithm (31) AES used to encrypt original electronic document (8) decrypt the document (12).
    b) Ask the cryptosystem (3) to obtain a hash (24) of the decrypted electronic document, using the same digestion algorithm (25) SHA256 that was used to obtain the first hash (23).
    15 c) The first hash (23) obtained from the original is compared with the hash (24) obtained from the decrypted document (33). If the result is that they are identical, the encryption and decryption process is considered to have been correct. If on the contrary the hashes are different, the decrypted document
    (33) is not integral.
    20 3. If the encryption and decryption process was successful, in step 3 g) load the hash (23) in the [H] tag
    4. Enter a final step 6 to the decryption process, with the following procedure: a) The cryptosystem (3) is requested to apply, on the document
    25 electronic decryption, the same digestion algorithm (25) SHA256 that was used to obtain the first hash (23), obtaining the hash (24).
    b) The first hash (23) obtained from the original is compared with the hash (24) obtained from the decrypted document (33). If the result is that they are identical, the encryption and decryption process is considered to have been
    30 right. If on the contrary the hashes are different, the decrypted document (33) is not integral.
    According to a fourth embodiment of the system, in addition to all the elements indicated in the first embodiment, to automatically obtain a secure symmetric key 35, we proceed to:
    1. Enter a step that replaces step 3 a) of the encryption process, with the following procedure: a) A symmetric key is automatically generated and unassisted (9)
    5 using a random number generation algorithm (20) capable of generating numbers of a size equal to or greater than 128 bits. To perform this process, it uses the cryptographic capability of the hardware cryptographic token (5):
    to. The user program (4) through the cryptosystem (3) orders the
    10 PKCS API # 11 (16) that through a random number generation algorithm (20) obtains a random number of 256 bit size, which is used as a symmetric key (9).
    According to a fifth embodiment of the system, in addition to all the elements indicated 15 in the first embodiment, to associate the user program (4) with the documents it processes, it proceeds to:
    1. Enter a step prior to step 3 g) And that complements it with the following procedure · a) Read the identifier (29) of the user program (4) that is stored
    20 in an XML file.
    b) Using the cryptosystem (3), remove the hash (28) from the identifier (29), and include it in a label [H1] of the data container (21) that is encapsulated in the encrypted electronic document (12)
    2. Enter a complementary step to Step 2. c) decryption of the document,
    25 and which complements it with the following procedure: a) Read the hash (28) of the identifier (29) of the tag [H1], b) Read the identifier (29) of the user program (4) that is
    stored in an XML file, and using the cryptosystem (3) take out the hash (31) of the identifier (29)
    30 c) Compare the hash (28) contained in the tag, with the hash (30) obtained from identifier (29), if they are identical, the document is associated with this user program.
    权利要求:
    Claims (5)
    [1]
    1.-Hybrid method of encryption and decryption of electronic documents comprising5 the following steps:
    Step 1: The electronic document (8) is encrypted using a symmetric key (9) and a symmetric algorithm (31), resulting in an encrypted document (12). An asymmetric encryption algorithm (32) is selected with which to perform an encryption
    10 asymmetric multilayer symmetric key (9), using an asymmetric key (7) to encrypt each layer, which will result in an encrypted symmetric key (11).
    Step 2: The size of the symmetric key (9), the length and number of public keys (7) to be used, as well as the type of encryption required (32) are checked.
    15 When the product (9) or (11) to be encrypted asymmetrically has a size equal to or greater than the public key (7) with which you want to encrypt, that product is divided into whole blocks of bytes (14).
    Step 3: If the number of public keys (7) to be used requires it, the entire blocks
    20 bytes (14) encrypted, can be subdivided into other whole blocks of bytes (14) so that the size is always smaller than the public key (7) to use, this process can be replicated as many times as necessary.
    Step 4: For the encryption of the symmetric key (9) and I or the entire blocks of bytes (14)
    25 into which it has been divided, an asymmetric algorithm (32) and the bytes of one or more public keys (7) that are stored in a PKCS # 10 file (2), or in an electronic certificate X509v3 are used.
    Step 5: A data container (21) is created that stores all the information
    30 cryptographic necessary to reverse the encryption process, this container (21) structures the information through tags (13), in addition these tags serve as information separators, so you can include tags for that unique and exclusive purpose. There is no limit or restriction on the type of label, format, extension or quantity.
    Step 6: The encrypted electronic document (12) is edited, and the data container is encapsulated inside, obtaining an encapsulated encrypted electronic document (15)
    5 Step 7: For decryption of the encapsulated encrypted electronic document (15) youextract the data container (21) obtaining the encrypted electronic document (12).
    Step 8: The identifiers (19) of the public keys used, the blocks (14) or the encrypted symmetric key (11) are obtained from the data container (21), as well as all the information necessary to perform the cryptographic operations of decoded.
    Step 9: Using the identifier (19) of the public key used to encrypt, access the private key (6), which can be contained in a cryptographic hardware token (5), or in an information container (22) which includes the
    15 key identifier (19), with the private key (6) we proceed to decrypt the blocks (14) or the encrypted symmetric key (11), using the same asymmetric algorithm (32) used for decryption encrypt it
    Step 10: If the symmetric key (9) was divided into whole blocks of bytes (14), the 20 decrypted blocks are joined to obtain the symmetric key (9).
    Step 11: Using the decrypted symmetric key (9), the encrypted document (12) is decrypted using the same symmetric algorithm (31) that was used to encrypt it. Obtaining the decrypted electronic document (33)
    [2]
    2. Method according to Claim 1, characterized in that in Step 4 it also comprises:
    Edit the PKCS # 10 file (2) and extract at least the bytes of the
    30 public key (7), and its identifier (19). Store that information in a structured information file (22), and use that file (22) to read the bytes of the public key (7) and its identifier (19) in order to perform the encryption processes.
    [3]
    3. Procedure according to Claim 1, characterized by performing a previous step (a) to Step 1, by performing a previous step (b) to Step 2, and a complementary step (e) to Step 11, which comprises:
    a) A hash (23) of the original electronic document (8) is obtained using a summary algorithm (25). b) The encrypted document (12) is decrypted with the symmetric key (9) and the symmetric algorithm (31) used to encrypt it, it is applied over the decrypted document
    10 (33) the same summary algorithm (25) used in step a), obtaining a hash (24) that compares with the first hash (23) a), if both hash are identical the decrypted electronic document (33) It is complete with respect to the original document (8). c) The same summary algorithm is applied to the decrypted document (33)
    15 (25) used in step a), obtaining a hash (24) that compares with the first hash (23) a), if both hash are identical the decrypted electronic document (33) is integral with respect to the original document (8 ).
    [4]
    4.-Procedure according to Claim 1, characterized in that it has a
    20 data container (34) that stores equivalences of all characters recognized as standard in Base 64 and, equivalences that are not recognized as standard by Base 64, and the logic of equivalences recorded in that container (34) is used to perform a subsequent step (a) to Step 6, and perform a previous step (b) to Step 7, which comprises:
    25 a) A verification of the encrypted and encapsulated electronic document (15) is performed, in order to determine if any of its characters match any of the contents in the container (34), if it coincides, the document is encoded (15 ) using the logic of equivalences
    30 stored in the container (34), if any character does not co-index, the coding is not performed. b) If it has been possible to encode the document, decoding is performed using the equivalence logic of the container (34)
    35 5. Method according to Claim 1, characterized by performing a step prior to
    Step 1, which includes:
    Automatic generation of a symmetric key (9) using a random number generation algorithm 5 (20) without size limitation.
    [6]
    6. Procedure according to Claim 1, characterized in that the user program (4) has a unique identifier (29), and with that identifier (29) a previous step (a) to Step 5 is performed, and a previous step ( b) to Step 8 which includes:
    10 a) Include the identifier (29) in the data container (2 1) that is encapsulated in the encrypted electronic document (12). It is also possible to apply a summary algorithm (25) to the identifier (29) and store the hash (28). This information will indicate whether the stored data is the identifier (29) or the
    15 hash (28) of that identifier (29). b) The identifier (29) of the user program (4) that initiated the decryption process is checked, and compared with the identifier (29) stored in the data container (21), if the program of identification is not identical user (4) is not associated with the encrypted document (12). If the identifier (29)
    20 stored in the data container (21) is a hash (28), a summary algorithm (25) is applied on the identifier (29) of the user program (4) obtaining a hash (30), both hashs are compared and if they are the same, the user program (4) is associated with the encrypted electronic document (12).
    类似技术:
    公开号 | 公开日 | 专利标题
    CN106778205A|2017-05-31|Verified with the no data storehouse of physics unclonable function
    US9043610B2|2015-05-26|Systems and methods for data security
    US20100005318A1|2010-01-07|Process for securing data in a storage unit
    US10110380B2|2018-10-23|Secure dynamic on chip key programming
    US7499552B2|2009-03-03|Cipher method and system for verifying a decryption of an encrypted user data key
    US9537657B1|2017-01-03|Multipart authenticated encryption
    US10148437B2|2018-12-04|Encryption system with key recovery
    CN110519260B|2020-09-25|Information processing method and information processing device
    US10630474B2|2020-04-21|Method and system for encrypted data synchronization for secure data management
    TWI629608B|2018-07-11|Method for copy-protected storage of information on a data carrier
    US8995653B2|2015-03-31|Generating a secret key from an asymmetric private key
    US20190140819A1|2019-05-09|System and method for mekle puzzles symeteric key establishment and generation of lamport merkle signatures
    TW201141172A|2011-11-16|Methods, circuits, devices, and systems for provisioning of cryptographic data to one or more electronic devices
    WO2012053886A1|2012-04-26|A method and system for file encryption and decryption in a server
    WO2020155779A1|2020-08-06|Method and apparatus for authenticating digital signature, computer device and storage medium
    WO2021051757A1|2021-03-25|Two-dimensional code-based file acquisition method and device and two-dimensional code generation method
    JP2003143131A|2003-05-16|Electronic information management device, portable information terminal device, management server device and program
    KR20160045752A|2016-04-27|Identity authentication system, apparatus, and method, and identity authentication request apparatus
    CN110490008B|2021-08-10|Security device and security chip
    ES2613881B1|2018-04-02|HYBRID METHOD OF ENCRYPTING AND DEFRYING ELECTRONIC DOCUMENTS
    BRPI0811911B1|2020-10-20|AUTHENTICATION METHOD FOR SAFE DATA TRANSMISSION, ELECTRONIC DEVICE, SYSTEM AND MEDIA LEGIBLE BY COMPUTER
    CN101043334B|2011-09-07|Method and device of encryption and data certification and decryption and data authenticity validating
    WO2019152201A1|2019-08-08|Secure crypto system attributes
    US20040264702A1|2004-12-30|Method and apparatus for producing cryptographic keys
    US10630470B2|2020-04-21|Zone based key version encoding
    同族专利:
    公开号 | 公开日
    ES2613881B1|2018-04-02|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    EP0792041A2|1996-02-20|1997-08-27|International Business Machines Corporation|Method and apparatus for block encryption|
    US20080270807A1|2004-04-15|2008-10-30|Randolph Michael Forlenza|Method for Selective Encryption Within Documents|
    US20090097657A1|2007-10-05|2009-04-16|Scheidt Edward M|Constructive Channel Key|
    US20090225988A1|2008-03-04|2009-09-10|Canon Kabushiki Kaisha|Information processor, information processing method and system|
    WO2012021839A2|2010-08-12|2012-02-16|Orsini Rick L|Systems and methods for secure remote storage|
    US20120179909A1|2011-01-06|2012-07-12|Pitney Bowes Inc.|Systems and methods for providing individual electronic document secure storage, retrieval and use|
    法律状态:
    2018-04-02| FG2A| Definitive protection|Ref document number: 2613881 Country of ref document: ES Kind code of ref document: B1 Effective date: 20180402 |
    优先权:
    申请号 | 申请日 | 专利标题
    ES201630804A|ES2613881B1|2016-06-13|2016-06-13|HYBRID METHOD OF ENCRYPTING AND DEFRYING ELECTRONIC DOCUMENTS|ES201630804A| ES2613881B1|2016-06-13|2016-06-13|HYBRID METHOD OF ENCRYPTING AND DEFRYING ELECTRONIC DOCUMENTS|
    [返回顶部]