In one-on-one secure communications, a message can be transmitted securely only when confidentiality, integrity, and source authentication are all satisfied during the communication. The confidentiality means that the contents of the message will not be obtained by a third party during the transmission. The integrity means that the message receiving party must be able to ensure that the received message contents are consistent with the message contents transmitted by the transmitting party, i.e., the message contents are not tampered. The source authentication means that the message receiving party must be able to authenticate that the message is indeed transmitted by the expected transmitting party.
In network communications, a symmetric encryption/decryption method is usually used as a mechanism of the secure communication. The transmitting party and the receiving party reach an agreement on a key in advance and then the transmitting party encrypts the message to be transmitted into an encrypted file by using the key and a symmetric encryption algorithm. After receiving the encrypted file, the receiving party decrypts the encrypted file by using the same key and a symmetric decryption algorithm corresponding to the symmetric encryption algorithm so as to obtain the message transmitted by the transmitting party previously.
If the data size of the message to be encrypted by the transmitting party is greater than one block that can be processed by the symmetric encryption algorithm, a block operation mode must be adopted together. The block operation mode is adopted to connect individual message blocks in a safe way to protect some message blocks from being revealed or being additionally attacked. A cipher block chaining (CBC) mode is one of the block operation modes, the encryption mechanism and the decryption mechanism of which are respectively shown in FIGS. 1A and 1B.
As shown in FIG. 1A, the encryption mechanism of the CBC mode is to divide the electronic file M to be transmitted into a plurality of message blocks m1, m2, m3, m4, . . . , mt of the same size and perform encryption on each of the message blocks m1, m2, m3, m4, . . . , mt individually. Specifically, for the first one of the message blocks (i.e., the message block m1), the encryption mechanism firstly performs an exclusive OR (XOR) operation on the message block m1 and an initial vector IV and then performs an encryption operation E on the result of the XOR operation by using the symmetric encryption algorithm and a key K so as to generate an encrypted block c1 corresponding to the message block m1. For each of the other message blocks (i.e., the message blocks m2, m3, m4, . . . , mt), the encryption mechanism firstly performs the XOR operation on the message block and an encrypted block corresponding to a previous message block thereof (i.e., encrypted blocks c1, c2, c3, c4, . . . , ct-1) and then performs the encryption operation E on the result of the XOR operation by using the symmetric encryption algorithm and the same key K so as to generate an encrypted block (i.e., encrypted blocks c2, c3, c4, . . . , ct). Finally, the encryption mechanism concatenates the encrypted blocks c1, c2, c3, . . . , ct to generate an electronic encrypted file C.
As shown in FIG. 1B, the decryption mechanism of the CBC mode divides the electronic encrypted file C received into a plurality of encrypted blocks c1, c2, c3, c4, . . . , ct of the same size and performs decryption on each of the encrypted blocks c1, c2, c3, c4, . . . , ct individually. Specifically, for the first one of the encrypted blocks (i.e., the encrypted block c1), the decryption mechanism firstly performs a decryption operation D by using a symmetric decryption algorithm corresponding to the symmetric encryption algorithm and the same key K and then performs an XOR operation on the decryption result and the initial vector IV so as to generate the message block m1 corresponding to the encrypted block c1. For each of the other encrypted blocks (i.e., the encrypted blocks c2, c3, c4, . . . , ct), the decryption mechanism also firstly performs the decryption operation D by using the symmetric decryption algorithm and the same key K and then performs an XOR operation on the decryption result and a previous encrypted block thereof (i.e., the encrypted blocks c1, c2, c3, c4, . . . , ct-1) so as to generate a message block (i.e., the message blocks m2, m3, m4, . . . , mt). Finally, the decryption mechanism generates the electronic file M by concatenating the message blocks m1, m2, m3, . . . , mt.
The symmetric encryption/decryption algorithm can satisfy the requirements of the aforesaid confidentiality but can not satisfy the requirements of the integrity. Specifically, even if the electronic encrypted file is tampered by an attacker, the receiving party can still perform the decryption operation on the tampered electronic encrypted file after receiving it. For example, if the aforesaid electronic encrypted file C (which comprises the encrypted blocks c1, c2, c3, . . . , ct) is tampered into an electronic encrypted file C′ (which comprises encrypted blocks c1′, c2, c3, . . . , ct) by the attacker, the receiving party can still decrypts the electronic encrypted file C′ into an electronic file M′ (which comprises message blocks m1′, m2′, m3, m4, . . . , mt), as shown in FIG. 1C. However, in most cases, the receiving party can not determine whether the message obtained by decryption (e.g., the electronic file M′) is true. Especially when the message that would be transmitted by the transmitting party is a program or a message that can not be recognized by the server or the people, the receiving party can not be aware of any abnormity of the message obtained by decrypting the tampered electronic encrypted file.
If the security requirements for integrity can not be achieved, then the source authentication can not be satisfied as a consequence. Specifically, the attacker may select any random number as the electronic encrypted file and transmit it to the receiving party by personating the transmitting party. The receiving party will decrypt the electronic encrypted file received (i.e., the random number selected by the attacker) into a plain text by using the key and the symmetric decryption algorithm. The receiving party can not be aware of any abnormity of the electronic encrypted file received and the plain text obtained by decryption because the receiving party is not able to perform the integrity verification. The main reason is that the key is owned by both the transmitting party and the receiving party, so the receiving party will consider the plain text obtained by decryption as being transmitted by the transmitting party although, actually, the electronic encrypted file is transmitted by the attacker. As can be known from this, the source cannot be authenticated in cases where the integrity requirements cannot be satisfied by the symmetric encryption/decryption algorithm.
As a solution to the aforesaid problem, a plurality of methods may be adopted. For example, a solution in which the transmission is performed by adopting the secure sockets layer (SSL)/transport layer security (TLS) mechanism is shown in FIG. 1D. The transmitting party and the receiving party reach an agreement on two keys K and Km in advance. When the transmitting party wants to transmit an electronic file MS to the receiving party, the transmitting party firstly performs a message authentication code (MAC) operation MAC on the electronic file MS by using the key Km to generate a message authentication code z1. Then, the transmitting party concatenates the electronic file MS and message authentication code z1 and performs an encryption operation E on the concatenation result by using the symmetric encryption algorithm and the key K to generate an electronic encrypted file CN. After receiving the electronic encrypted file CN, the receiving party firstly performs a decryption operation D by using the symmetric decryption algorithm and the key K and obtains an electronic file MD and a message authentication code z2. Then, the receiving party performs the message authentication code operation MAC on the electronic file MD by using the key Km to generate a message authentication code z3. Subsequently, the receiving party performs a comparing operation CMP on the message authentication code z3 and the message authentication code z2 obtained by decryption. If the result of the comparing operation CMP is that the message authentication code z3 is the same as the message authentication code z2, it indicates that the electronic file MD is not tampered during the communication and is consistent with the contents of the electronic file MS transmitted by the transmitting party. However, if the result of the comparing operation CMP is that the message authentication code z3 is different from the message authentication code z2, it indicates that the electronic file MD obtained by decryption has been tampered during the communication.
The “MAC-then-encrypt” method adopted by the aforesaid SSL/TLS mechanism is capable of satisfying the three basic security requirements of confidentiality, integrity and source authentication simultaneously because an agreement has been reached on the two keys K and Km in advance. A plurality of methods of calculating the message authentication code is available in the conventional art. A common method is to use a keyed-hash message authentication code (HMAC) created by a hash function. Another method is to use a cipher block chaining message authentication code in combination with the CBC mode (CBC-MAC). The calculating efficiency of the HMAC is determined by the hash function adopted. To satisfy the security requirements, the hash algorithms usually adopted are SHA-1, SHA-2 and the like. However, the calculating efficiencies of these relatively complex hash algorithms are quite approximate to that of the common advanced encryption standard (AES). On the other hand, in terms of the CBC-MAC, although only the last block of the encrypted file is used as the output, the entire input data is encrypted once during the calculating process. In other words, the calculating efficiency of the CBC-MAC is equivalent to that of the block encryption algorithm adopted.
Accordingly, when the MAC-then-encrypt method is adopted, the calculating time to be taken is double that would be taken when the message authentication code is not adopted. The extra time is taken to calculate the message authentication code. When the message to be encrypted has a very large data size, the doubled time to be taken is still a non-ignorable burden for general applications. Accordingly, an urgent need exists in the art to provide a solution capable of reducing the time cost while satisfying the three basic security requirements of confidentiality, integrity and source authentication.