Abstract: In view of the fact that simple key sharing schemes are not suitable for dynamic updating of group members and the problem that current standard applications can not effectively support group encryption, A group cryptosystem based on IBE is designed in this paper, which mainly includes group and identity management system, the IBE CSP which supports group encryption and the cryptographic server three modules. Users can register secure personal and group identifiers and unusable identifiers corresponding to the leaked private key in the identity and group management system, and meanwhile users can create, join, exit, manage and dissolve groups. The IBE CSP that supports group encryption and the cryptographic server both support group encryption and decryption and group shared key automatic update function. The two decryption methods are compatible with each other and users can choose by themselves. As most standard applications do not support IBE, and IBE does not have similar certificate revocation functions to deal with key leakage. The pseudo RSA digital certificate is designed to apply the group cryptography to the standard application, and the group identification is added with the time strategy and the indexing strategy to form an extended group identifier to update, recover or destroy the key, besides, it can be used when group members are dynamically updated.

Key words: group encryption, IBE, identity extension, CSP, the pseudo RSA, Exchange

摘要： 针对简单的密钥共享方案并不适用于群组成员动态更新的情况，以及现今标准应用无法有效地支持群组加密的问题，研究一个基于身份加密(identity based encryption, IBE)的群组密码系统，该系统主要包括标识与群组管理系统、支持群组加密的IBE加密服务提供程序(cryptographic service provider, CSP)、密码服务器三大模块.用户可以在标识与群组管理系统上注册安全的个人和群组标识以及注销泄露的私钥所对应的不可用标识，同时用户可以创建、加入、退出、管理、解散群组等.支持群组加密的IBE CSP和密码服务器均支持群组加解密以及群组共享密钥自动更新的功能，2种解密方式互相兼容，用户可以自行选择.由于大多标准应用并不支持IBE算法，且IBE没有类似证书吊销功能来应对密钥泄露的情况.设计伪RSA数字证书，将该群组密码系统成功应用到标准应用Exchange中，并对群组标识加上时间策略和索引策略，形成拓展群组标识来更新、恢复或者销毁密钥，可以适用于群组成员动态更新的情况.

关键词: 群组加密, IBE, 标识拓展, CSP, 伪RSA, Exchange