CN113810432A - Quantum-safe data encryption method, encryption equipment and storage medium - Google Patents

Quantum-safe data encryption method, encryption equipment and storage medium Download PDF

Info

Publication number
CN113810432A
CN113810432A CN202111372817.8A CN202111372817A CN113810432A CN 113810432 A CN113810432 A CN 113810432A CN 202111372817 A CN202111372817 A CN 202111372817A CN 113810432 A CN113810432 A CN 113810432A
Authority
CN
China
Prior art keywords
key
quantum
session
negotiation
original
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111372817.8A
Other languages
Chinese (zh)
Other versions
CN113810432B (en
Inventor
冯凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba China Co Ltd
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd, Alibaba Cloud Computing Ltd filed Critical Alibaba China Co Ltd
Priority to CN202111372817.8A priority Critical patent/CN113810432B/en
Publication of CN113810432A publication Critical patent/CN113810432A/en
Application granted granted Critical
Publication of CN113810432B publication Critical patent/CN113810432B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Abstract

The embodiment of the application provides a quantum-safe data encryption method, encryption equipment and a storage medium. In the embodiment of the application, the quantum security capability is fused into the existing encryption equipment in a modularized mode, the quantum security capability is added to the existing encryption equipment on the premise of keeping the original function of the encryption equipment, and the original function of the encryption equipment is not influenced; after the quantum key and the original key are mixed, a session key is generated, the session key is used for data encryption, the reasonable fusion of a quantum security technology and classical cryptography can be realized, the multilevel key is used for data encryption, the quantum security capability is added on the premise of not reducing any existing security, and higher password agility is given to the existing encryption equipment.

Description

Quantum-safe data encryption method, encryption equipment and storage medium
Technical Field
The present application relates to the field of data security technologies, and in particular, to a quantum-secure data encryption method, encryption device, and storage medium.
Background
The encryption machine is a domestic autonomously developed host encryption device which is authenticated and approved to be used by the national commercial code administration, and the encryption machine and the host can communicate by using a TCP/IP protocol. The encryption machine is widely used in financial institutions such as banks, unions of bank, third-party payment and the like, and is mainly used for encrypting and decrypting bank card passwords, calculating transaction MAC, ensuring the security of sensitive data in transactions and the like.
However, with the development of quantum computing technology, the security of the encryptor is also threatened, and therefore, it is urgently required to add the quantum attack resistance to the encryptor.
Disclosure of Invention
Aspects of the present disclosure provide a quantum secure data encryption method, an encryption device, and a storage medium, which are used to improve security of the encryption device.
The embodiment of the application provides a quantum secure data encryption method, which is suitable for encryption equipment, wherein a quantum secure key component is deployed in the encryption equipment, and the method comprises the following steps:
negotiating an original key for the first session with the opposite end in response to the data encryption request;
determining a quantum key corresponding to the first session by using a quantum security key component of the home terminal, wherein the quantum key is generated by performing quantum key negotiation between the home terminal and the opposite terminal based on the respective quantum security key components;
mixing an original key and a quantum key corresponding to the first session to obtain a session key of the first session;
data during the first session is encrypted using a session key for the first session.
The embodiment of the application also provides an encryption device, which comprises a memory, a processor, an original key component and a quantum security key component;
the memory is to store one or more computer instructions;
the processor, coupled with the memory, the raw key component, and the quantum secure key component, to execute the one or more computer instructions to:
negotiating an original key for the first session with the opposite end in response to the data encryption request;
determining a quantum key corresponding to the first session by using a quantum security key component of the home terminal, wherein the quantum key is generated by performing quantum key negotiation between the home terminal and the opposite terminal based on the respective quantum security key components;
mixing an original key and a quantum key corresponding to the first session to obtain a session key of the first session;
data during the first session is encrypted using a session key for the first session.
Embodiments of the present application also provide a computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the aforementioned data encryption method.
In the embodiment of the application, the quantum security capability is fused into the existing encryption equipment in a modularized mode, the quantum security capability is added to the existing encryption equipment on the premise of keeping the original function of the encryption equipment, and the original function of the encryption equipment is not influenced; after the quantum key and the original key are mixed, a session key is generated, and the session key is used for data encryption, so that the reasonable fusion of a quantum security technology and classical cryptography can be realized, the quantum security capability is added on the premise of not reducing any existing security, and higher password agility is given to the existing encryption equipment.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic structural diagram of an encryption device according to an exemplary embodiment of the present application;
FIG. 2 is a diagram illustrating an internal structure and an operation principle of a quantum secure key assembly according to an exemplary embodiment of the present application;
fig. 3 is a schematic diagram illustrating an operation principle of an encryption device according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram of an application scenario provided by an exemplary embodiment of the present application;
fig. 5 is a schematic diagram illustrating an operation principle of another encryption device according to an exemplary embodiment of the present application;
FIG. 6 is a schematic diagram of another application scenario provided by an exemplary embodiment of the present application;
fig. 7 is a flowchart illustrating a quantum secure data encryption method according to another exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, with the development of quantum computing technology, the security of the existing encryptor is also threatened, so that the encryptor needs to be added with the capability of resisting quantum attack. To this end, in some embodiments of the present application: the quantum security capability is integrated into the existing encryption equipment in a modularized mode, the quantum security capability is added to the existing encryption equipment on the premise of keeping the original function of the encryption equipment, and the original function of the encryption equipment is not influenced; after the quantum key and the original key are mixed, a session key is generated, and the session key is used for data encryption, so that the reasonable fusion of a quantum security technology and classical cryptography can be realized, the quantum security capability is added on the premise of not reducing any existing security, and higher password agility is given to the existing encryption equipment.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of an encryption device according to an exemplary embodiment of the present application. As shown in fig. 1, the cryptographic device may include a memory 10, a processor 20, a raw key component 30, and a quantum secure key component 40, the processor 20 may be coupled to the memory 10, the raw key component 30, and the quantum secure key component 40.
The encryption device provided by the embodiment can be applied to various data security scenes, such as financial data security scenes of securities, banks and the like, clearing payment scenes of a network platform and the like, and the application scene is not limited by the embodiment. It is further understood that the encryption component may of course comprise further components than the several components described above, such as power components, communication components, etc., which are not exhaustive here.
The encryption device provided by the present embodiment may be an encryption machine. The encryption machine is a domestic independently developed host encryption device which is authenticated and approved to be used by the national commercial crypto administration, the original functional characteristics of the encryption machine comprise key association, key operation, message verification, data encryption, signature verification and the like, meanwhile, the encryption machine has the capability of safety protection on the aspect of hardware design, and the encryption machine can provide encryption device interfaces such as an SDF interface, a PKCS #11 interface and/or a JCE interface and the like so as to realize the original functions.
Referring to fig. 1, a quantum security key component 40 may be added to an existing encryption device in a modular fashion without affecting the original key component 30 of the encryption device, and the quantum security key component 40 may interact with the original key component 30 of the encryption device to achieve fusion of quantum security and original functionality. This ensures that the encryption device can also provide original functionality based on the original key component 30. In addition, with the quantum secure key component 40 as a bridge, the encryption device may also support access to external quantum devices, including but not limited to a quantum random number generator, a quantum key distribution device, and the like, which may effectively improve the security performance of the quantum secure key component 40.
In this embodiment, the encryption device may be deployed on the host to support the host to provide an encryption service, and ensure data security. In different application scenarios, the types of hosts may not be completely the same, for example, the host may be a cloud server, or a host in a user room, and the like.
In this embodiment, the processor 20 may utilize a local quantum secure key component to determine a quantum key corresponding to the first session. The quantum key is generated by quantum key negotiation between the local terminal and the opposite terminal based on respective quantum secure key components.
In this embodiment, multiple implementation manners may be used between the home terminal and the peer terminal to perform quantum key negotiation.
In one implementation, the quantum key component of the local terminal and the quantum key component of the opposite terminal may perform quantum key negotiation directly to generate a quantum key corresponding to the first session. In this implementation, quantum key agreement is performed in advance between the quantum secure key component of the local end and the quantum secure key component of the opposite end, so as to generate a quantum key set in each of the two parties. Therefore, a quantum key negotiation channel can be established between the quantum key security component of the local terminal and the quantum key security component of the opposite terminal, and negotiation parameters required by quantum key negotiation are exchanged through the quantum key negotiation channel, so that quantum key negotiation between the two parties is realized. It should be understood that the negotiation channel of the quantum key is independent of the negotiation channel of the original key, and the negotiation channel of the quantum key may be a communication channel dedicated to the service quantum key negotiation work. Optionally, the negotiation channel of the quantum key may adopt a secure communication channel guaranteed by national security TLS, and the like.
Fig. 2 is a schematic diagram illustrating an internal structure and an operation principle of a quantum secure key component according to an exemplary embodiment of the present application. Referring to fig. 2, in this implementation, the quantum secure key component 40 may include a core task processing layer, a quantum secure key management layer, and an interface services layer. The core task processing layer can be used for negotiation and processing of quantum security keys, and can support fusion of multiple quantum security technologies, including but not limited to multiple PQC algorithms, multiple QKD protocols, and multiple QRNG quantum random generators with different principles. The quantum secure key management layer may be used to group manage the generated quantum key sets. The interface service layer can be used for outputting the quantum key.
Fig. 3 is a schematic diagram illustrating an operating principle of an encryption device according to an exemplary embodiment of the present application. In fig. 3, the encryption devices of the present embodiment are respectively deployed on the hosts of the branch office a and the branch office B as an exemplary application scenario. Referring to fig. 3, in this implementation, when the encryption device deployed in the branch office a is taken as the local end, quantum key negotiation may be performed between the quantum secure key component 40 of the local end and the quantum secure key component 40 of the opposite end to generate a quantum key set, where the quantum key set may include multiple quantum keys, and the multiple quantum keys may use key identifiers as indexes. Wherein, the quantum key negotiation operation between the local terminal and the opposite terminal can be completed before the original key negotiation operation is started, which is not necessary. In addition, after the quantum key in the quantum key set is consumed and insufficient, quantum key negotiation can be performed again between the quantum security key modules of the local terminal and the opposite terminal to complement the quantum key set, so that quantum security support can be performed on more sessions. Referring to fig. 2, in the present embodiment, a core task processing layer in the quantum secure key component 40 may be utilized for quantum key negotiation. Optionally, in this embodiment, the local quantum secure key component 40 may be externally connected with a quantum random number generator, and based on this, the local quantum secure key component 40 may be utilized by the local processor 20 to obtain a quantum random number from the quantum random number generator; and calling a specified quantum key negotiation algorithm to carry out quantum key negotiation with the opposite terminal according to the quantum random number so as to generate a quantum key set. For example, the PQC KEM algorithm may be used to transmit the materials required for key agreement including random numbers, public keys, and cipher text over the secure communication channel guaranteed by the national security TLS; after the PQC KEM algorithm is successfully executed, the quantum secure key components 40 at the local end and the opposite end can respectively obtain the same shared secret (shared secret), and at this time, the shared secret is used as the input of HKDF, so that the quantum key with the cryptology security can be finally obtained. An exemplary quantum key agreement scheme may be:
1. the local terminal and the opposite terminal establish a safe communication link based on the state secret TLS as a negotiation channel of the quantum key.
2. The quantum security key component 40 at the home end may obtain quantum random numbers from a QRNG (quantum random number generator).
3. The quantum security key component 40 at the local end can obtain a public and private key pair by calling a key generation function of the post-quantum cryptography PQC KEM.
4. At this time, the quantum secure key component 40 of the local end may send the public key and the quantum random number as key agreement materials to the quantum secure key component 40 of the opposite end through the national key TLS.
5. The quantum secure key component 40 of the opposite end can receive the message sent by the local end, firstly, the random number in the message is stored for use in the subsequent HKDF calculation.
6. The quantum secure key component 40 of the opposite end may also use the public key in the message as an input of the encapsulation function of the PQC KEM to obtain the cipher text and the shared secret (shared secret).
7. The quantum secure key component 40 at the opposite end may also send the cipher text as a key agreement material to the quantum secure key component 40 at the home end through the country TLS. After receiving the secret key, the quantum secure key component 40 at the local end uses the cipher text and the private key as the input of the decapsulation function to obtain the same shared secret (shared secret) as the opposite end.
8. The quantum secure key components 40 of the home terminal and the peer terminal both obtain the same shared secret (shared secret) at this time, and respectively use the shared secret as the input of each HKDF extract algorithm, and obtain a Pseudo Random Key (PRK) together with a pre-shared key (PSK) pre-configured to both parties.
9. The quantum secure key components 40 of the home terminal and the opposite terminal respectively use the PRK and the random number shared by the two parties as input parameters of the HKDF extended function to obtain derived keys which can be used as quantum keys.
It should be understood that the quantum key agreement scheme in the present embodiment is not limited thereto.
On this basis, in this implementation, quantum secure key component 40 may distribute a quantum key for the first session from a quantum key set. In an alternative implementation: the processor 20 at the local end may obtain a session identifier of the first session; providing the session identification to the quantum secure key component 40 at the home end; and distributing the quantum key for the session identification of the first session from the quantum key set by using the quantum secure key component 40 of the local terminal to obtain the quantum key corresponding to the first session. The session identifier is used to uniquely identify the first session, i.e. to distinguish between different sessions, so that different base keys and quantum keys can be generated for different sessions.
In addition, in order to ensure that the opposite end can accurately determine the quantum key of the first session, referring to fig. 3, in this embodiment, the processor 20 of the home end may further obtain, by using the quantum secure key component 40 of the home end, a key identifier associated with the quantum key corresponding to the first session; and providing the key identification corresponding to the first session to the opposite end, so that the opposite end searches the quantum key corresponding to the key identification based on the quantum secure key component 40 of the opposite end and mixes the searched quantum key and the original key to obtain the session key of the first session. As mentioned above, the quantum key set is indexed by the key identifier, so that the peer can accurately find the required quantum key from the quantum key set based on the key identifier, thereby ensuring that the peer can generate an accurate session key. The session key of the first session obtained by the local terminal and the opposite terminal may be a symmetric key.
It is possible for the home terminal to no longer be the initiator of encryption in other sessions, but to become the partner. In this implementation, taking the second session as an example, in the second session, the local end will be used as a partner, in this case, for the processor 20 of the local end, an original key for the second session may be negotiated with the opposite end; receiving a key identification corresponding to a second dialogue sent by an opposite terminal; searching a quantum key associated with the key identifier corresponding to the second session from the quantum key set by using the quantum secure key component 40 of the home terminal, and taking the quantum key as the quantum key corresponding to the second session; the quantum key set is generated by performing quantum key negotiation between the quantum security key component 40 at the home terminal and the quantum security key component at the opposite terminal; mixing an original key and a quantum key corresponding to the second session to obtain a session key of the second session; data during the second session is encrypted using a session key for the second session.
In this case, in the process of looking up the quantum key associated with the key identification corresponding to the second session from the quantum key set: the processor 20 at the local end may obtain a session identifier of the second dialog; providing the session identifier and the key identifier corresponding to the second session to the quantum secure key component 40 at the local end; and searching a quantum key associated with the key identification corresponding to the second session from the quantum key set by using the quantum secure key component 40 of the local terminal, and distributing the quantum key to the session identification of the second session to obtain the quantum key associated with the key identification corresponding to the second session. For details of the related technology, reference may be made to the foregoing description of the process for determining the quantum key for the first session, which is not described herein again.
With continued reference to fig. 3, in this implementation, the processor 20 may negotiate an original key for the first session with the peer in response to the data encryption request. Wherein, the local terminal and the opposite terminal can perform original key negotiation based on the basic key components of the local terminal and the opposite terminal. In this embodiment, a specific negotiation process of the original key is not limited, and in different application scenarios, negotiation schemes of the original key used between the encryption devices may not be completely the same, and may be adjusted according to actual needs. An exemplary original key negotiation scheme may be: calling an original encryption interface of the home terminal to generate a negotiation parameter A for the first session; providing the negotiation parameter A to the opposite terminal through a negotiation channel of the original key so that the opposite terminal can call an original encryption interface of the opposite terminal to generate the original key of the first session and a negotiation parameter B according to the negotiation parameter A; receiving a negotiation parameter B returned by an opposite terminal through a negotiation channel of an original key; and calling an original encryption interface of the local terminal to generate an original key of the first session according to the negotiation parameter B. Thus, through the original key negotiation process, both the home terminal and the opposite terminal can obtain the original key of the first session.
In this implementation, fig. 4 is a schematic diagram of an application scenario provided in an exemplary embodiment of the present application. In this exemplary application scenario, two encryptors (corresponding to the encryption devices in this embodiment) at two locations (branch a and branch B) and two user-side applications (application a and application B are the same application, such as a stock exchange application, but are distinguished by a and B depending on the location) are included. It should be understood that in practical applications, more encryptors and user-side applications may be supported in different areas and interconnected, for example, an encryption session may also occur between branch a and branch B. According to the scheme, the two encryption machines can carry out safe communication through the TLS protocol, and whether the communication between applications needs safe encryption is not limited too much. Referring to fig. 4, in this exemplary application scenario, a specific implementation process of the scheme may be:
1. the quantum security key components of the two encryptors can start negotiation of quantum security keys before the application calls the standard SDF interface of the encryptors to generate the original key (for example, quantum key negotiation can be started when the management software on the two encryptors activates the quantum security mode), and after the quantum key negotiation is completed, a quantum key set with keyID as an index can be obtained, and the quantum keys are in a ready state. The quantum security key component can provide quantum keys to the outside through the interface service layer. The negotiation process may be based on the PQC algorithm and may choose to access the QKD protocol as well as the QRNG device.
2. As an initiator of the encryption, the client application a of the branch office a may execute the sm2dh algorithm by calling the SDF standard interface SDF _ generateagentdatawithecc (), where the entry (request ID) may be provided by the user side application a, which may return the corresponding negotiated parameters a.
3. The application A can send the negotiation parameter A returned by the SDF interface to the application B at the branch B end based on the TCP/IP.
4. The application B may call the self SDF standard interface SDF _ generateagendataandkeywithecc (), and the main input parameters are (request ID, response ID, and negotiation parameter a), where the request ID may be sent by the application a along with the negotiation parameter a, or may be configured by the applications at both ends in advance. The response ID can be customized by application B, and other types of applications of branch office B should use a different response ID. The SDF interface may be executed to obtain the original key.
5. And after the application B calls the SDF interface to perform sm2dh algorithm operation, temporarily storing the obtained original key, and handing the key to a key mixing task at the local end for subsequent processing. In addition, application B sends its own negotiation parameters B to application a.
6. After receiving the negotiation parameter B, the application a passes (response ID, negotiation parameter B) as an entry parameter to the SDF standard interface SDF _ generatekeywathecc (), where the response ID may be sent by the application B together with the negotiation parameter B, or may be configured by the applications at both ends in advance.
7. And after the application A calls the SDF interface to perform sm2dh algorithm operation, temporarily storing the obtained original key, and handing the key to a key mixing task at the home terminal for subsequent processing.
8. The Key mixing task in the encryption machine a may call an interface provided by the quantum secure Key component to request the quantum Key, the main entry parameter is a session identifier (request ID), and the quantum secure Key component returns the quantum Key and its Key identifier (Key, Key ID).
9. And the Key mixing task in the encryption machine A sends the obtained Key ID to the Key mixing task of the opposite end through the TCP/IP.
10. The Key mixing task in the encryption machine B calls an interface provided by the quantum security Key component to request the quantum security Key, the main entry parameter is (request ID, response ID, Key ID), and the quantum security Key component returns the quantum Key (Key).
11. After the key mixing task in the encryption machine B successfully obtains the quantum key, a successful response can be sent to the key mixing task in the encryption machine A.
12. And the key mixing tasks at the two ends are used for mixing the original key calculated by the sm2dh algorithm and the quantum key obtained from the quantum security key component in an exclusive OR (XOR) mode to obtain the quantum security (namely, quantum attack resistant) session key.
It should be understood that the original key agreement process and the quantum key agreement process described above are merely exemplary, and the present embodiment is not limited thereto.
In another implementation manner, quantum key agreement is not directly performed between the quantum secure key component of the local terminal and the quantum secure key component of the opposite terminal, but is indirectly performed by relying on an original key agreement process. In the implementation mode, the negotiation parameters required by the quantum key negotiation corresponding to the first session can be exchanged with the opposite terminal through the negotiation channel of the original key; and constructing the quantum key corresponding to the first session by using the quantum security key component of the local terminal according to the received negotiation parameters required by the quantum key negotiation corresponding to the first session. That is, in this implementation manner, the negotiation parameters required for quantum key negotiation will multiplex the negotiation channel of the original key, and it is no longer necessary to construct the negotiation channel of the quantum key between the quantum secure key component of the local terminal and the quantum secure key component of the opposite terminal, and there is no longer direct communication between the quantum secure key component of the local terminal and the quantum secure key component of the opposite terminal.
Fig. 5 is a schematic diagram illustrating an operation principle of another encryption device according to an exemplary embodiment of the present application. In fig. 5, the encryption devices of the present embodiment are respectively deployed on the hosts of the branch office a and the branch office B as an exemplary application scenario. Referring to fig. 5, in this implementation, when an encryption device deployed in a branch office a is taken as a local terminal, a quantum secure key component of the local terminal may generate a quantum key negotiation parameter a corresponding to a first session; transmitting the quantum key negotiation parameter a to the opposite terminal through the negotiation channel of the original key; the quantum security key component of the opposite end can construct a quantum key corresponding to the first session and a quantum key negotiation parameter b according to the quantum key negotiation parameter a; the local terminal can receive a quantum key negotiation parameter b generated by a quantum security key component of the opposite terminal through a negotiation channel of the original key, and construct a quantum key corresponding to the first session according to the quantum key negotiation parameter b. And the quantum key of the first session constructed by the home terminal and the opposite terminal is symmetrical. Optionally, in this implementation, the quantum key agreement component may employ post-quantum cryptography, PQC, or like techniques to generate the quantum key for the first session.
In addition, in this implementation, since the negotiation parameters required for quantum key negotiation are transmitted by multiplexing the negotiation channel of the original key, an exemplary multiplexing transmission scheme may be: an original encryption interface of the home terminal generates an original key negotiation parameter a' for the first session; combining an original key negotiation parameter a' corresponding to the first session with a quantum key negotiation parameter a to obtain a negotiation parameter A; and transmitting the negotiation parameter A to the opposite terminal through a negotiation channel of the original key. Thus, the original key negotiation parameter a' and the quantum key negotiation parameter a corresponding to the first session can be synchronously transmitted to the opposite terminal through the negotiation channel of the original key. For the opposite end, after receiving the negotiation parameter a, splitting an original key negotiation parameter a ' and a quantum key negotiation parameter a corresponding to the first session, and providing the original key negotiation parameter a ' to the original key component 30, so that the original key component 30 generates an original key for the first session according to the original key negotiation parameter a '; quantum key agreement parameter a is provided to quantum secure key component 40 for quantum secure key component 40 to generate a quantum key for the first session. In addition, the opposite end may also generate a quantum key negotiation parameter B and an original key negotiation parameter B ' for the first session, and return the generated negotiation parameter B to the home end through a negotiation channel of the original key after combination, on this basis, the home end may split the negotiation parameter B and provide the original key negotiation parameter B ' to the original key component 30, so that the original key component 30 generates the original key for the first session according to the original key negotiation parameter B '. In this way, the home and peer can generate quantum keys for the first session based on the respective quantum secure key components and generate original keys for the first session based on the respective original key components. The quantum key and the original key generated for the first session at the two ends are symmetrical.
In this implementation, fig. 6 is a schematic diagram of another application scenario provided in an exemplary embodiment of the present application. In this exemplary application scenario, two encryptors (corresponding to the encryption devices in this embodiment) at two locations (branch a and branch B) and two user-side applications (application a and application B are the same application, such as a stock exchange application, but are distinguished by a and B depending on the location) are included. It should be understood that in practical applications, more encryptors and user-side applications may be supported in different areas and interconnected, for example, an encryption session may also occur between branch a and branch B. Referring to fig. 6, in this exemplary application scenario, a specific implementation process of the scheme may be:
1. the client application A of the branch A executes the sm2dh algorithm by calling an SDF standard interface SDF _ GenerateAgementDataWithECC (), wherein the entry parameter (request ID) is pre-configured by the user, and the interface returns the corresponding negotiation parameter A.
2. The SDF _ generateagentdatawithecc () interface will generate the key agreement parameter a' of the sm2 algorithm and enter the parameter mixing logic if the sm2 algorithm needs to be combined with the pqc algorithm.
3-4. parameter mixing logic generates a public-private key pair by invoking a PQC public-private key generation function in the quantum secure key component, with the public key portion serving as the key agreement parameter a of the PQC algorithm.
5-6. after combining the key agreement parameter a' with the key agreement parameter a of the PQC algorithm, the parameter mixing logic returns to application A through SDF _ GenerateAgementDataWithECC ().
7. And the application A sends the negotiation parameter A which is returned by the SDF interface and contains the key negotiation parameter a' and the key negotiation parameter a of the PQC algorithm to the application B at the branch B end based on the negotiation channel TCP/IP of the original key.
8. The application B calls an SDF standard interface SDF _ GENERATeAgensimentDataAndKeyWithECC (), and the main input parameters are (request ID, response ID and mixed negotiation parameter A), wherein the request ID and the response ID are configured by the user in advance.
9. The negotiated parameter a (a' + a) will be handed over to the parameter mixing logic for processing.
10-11, the parameter mixing logic splits the negotiation parameter A, and continues to hand the key negotiation parameter a 'to the SDF _ GenerateAgreementDataAndKeyWithECC () interface for processing, so as to obtain the original key based on the sm2 algorithm, and generate the key negotiation parameter b'. And meanwhile, the negotiation parameter a of the PQC algorithm is processed by a packaging function of the PQC algorithm in the quantum security key assembly to obtain a quantum key based on the PQC algorithm, and the negotiation parameter b of the PQC algorithm is returned for calculating an opposite-end PQC decapsulation function.
13-14. the parameter mixing logic merges the key negotiation parameter B' with the negotiation parameter B returned by the PQC algorithm into a negotiation parameter B, which is returned to the application B through the SDF _ generateagentemdataandkeywithecc () interface.
15. And the application B sends the negotiation parameter B returned by the SDF interface to the application A at the branch A end based on the negotiation channel TCP/IP of the original key.
16. After receiving the negotiation parameter B, the application a passes (response ID, the mixed negotiation parameter B) as an entry parameter to the SDF standard interface SDF _ generatekeywathecc (), where the response ID is pre-configured by the user.
17. The negotiated parameter B (B' + B) will be handed over to the parameter mixing logic for processing.
18-19, the parameter mixing logic splits the negotiation parameter B, and continues to deliver the key negotiation parameter B' to the SDF _ GenerateKeyWithECC () interface for processing, so as to obtain the original key based on the sm2 algorithm. And meanwhile, the negotiation parameter b of the PQC algorithm is processed by a decapsulation function of the PQC algorithm to obtain a quantum key based on the PQC algorithm.
It should be understood that the above two implementations are only exemplary, and the present embodiment is not limited thereto.
To this end, the processor 20 in the encryption device may obtain the original key and the quantum key for the first session. Processor 20 may blend an original key and a quantum key corresponding to the first session to obtain a session key for the first session; and encrypts data during the first session using the session key for the first session. In an alternative implementation: processor 20 may xor the original key and the quantum key corresponding to the first session to obtain a session key for the first session. Thus, in this embodiment, an internal fusion mode may be adopted to perform simple and effective xor operation on the quantum key generated by the quantum security technology and the original key generated by the cryptographic algorithm negotiation, which is the most suitable mode for fusing the quantum security technology at the early stage of development with the classical cryptography, and the application of the quantum security technology may be realized without reducing any existing security.
Based on this, in this embodiment, the home terminal and the peer terminal may negotiate an original key based on the original key component 30, negotiate a quantum key based on the quantum security key component 40, and there is no mutual interference between the negotiation processes of the original key by the quantum key negotiation process, and the two processes do not affect each other. Thus, in this embodiment, the encryption device can support free switching of the encryption mode.
In this embodiment, the encryption device may provide at least two encryption modes: an original encryption mode and a quantum encryption mode. For the first session, in the quantum encryption mode, the foregoing processes in this embodiment may be performed, and the data during the first session is encrypted by using the foregoing session key generated for the first session. The quantum encryption mode can be closed to enter the original encryption mode in response to a quantum encryption mode closing instruction, namely, the encryption of the data in the first session period by using the session key of the first session is switched to the encryption of the data in the first session period by using the original key; in this case, quantum secure key component 40 may also be turned off and no key-mixing operations may be performed, although this is not necessary. Of course, in this embodiment, the encryption device may also directly use other encryption modes, for example, a mode that performs encryption by using a quantum key alone, and the present embodiment is not limited thereto. Therefore, in the embodiment, the quantum security function of the encryption device can be freely turned on and off as required, the user is endowed with the right of rapidly switching the encryption mode of the encryption device, and the original encryption mode is not damaged at all.
In summary, the encryption device provided by the embodiment can produce at least the following technical effects:
1. the improved encryption equipment can still provide a complete and compliant original encryption function and is used for a data encryption scene of a client, and all interfaces conform to the national password standard.
2. The improved encryption equipment can obtain quantum security function, accords with the requirement of password agility (crypto agility), can freely open and close the quantum encryption mode, and ensures that the original encryption mode is not damaged.
3. The quantum security capability can be fused into the encryption equipment in a modularized mode, the method is very flexible and easy to expand, the original function of the encryption equipment is not influenced, external quantum equipment such as QKD or QRNG and the like meeting the compliance requirement can be additionally accessed according to the requirement, and therefore a session key generated in a multiple encryption mode is obtained, and the requirements of different security levels are met.
4. By adopting an internal fusion mode, the quantum key generated by the quantum security technology and the original key generated by the negotiation of the state cryptographic algorithm are subjected to simple and effective XOR operation, so that the quantum security technology is fused with the classical cryptography, and the quantum security technology is applied on the premise of not reducing any existing security.
Fig. 7 is a flowchart of a data encryption method, which may be applied to the encryption device described above and in which a quantum secure key component is deployed according to another exemplary embodiment of the present application. Referring to fig. 7, the method may include:
step 700, in response to a data encryption request, negotiating an original key for a first session with an opposite terminal;
step 701, determining a quantum key corresponding to the first session by using a quantum security key component of the home terminal, wherein the quantum key is generated by performing quantum key negotiation between the home terminal and the opposite terminal based on the respective quantum security key components;
step 702, mixing an original key and a quantum key corresponding to the first session to obtain a session key of the first session;
step 703 encrypts data during the first session using the session key of the first session.
In an optional embodiment, the step of determining, by using a quantum security key component at the home terminal, a quantum key corresponding to the first session includes:
distributing quantum keys for the first session from the quantum key set by using a quantum security key component of the home terminal to obtain the quantum keys corresponding to the first session;
the quantum key set is generated by performing quantum key negotiation in advance between a quantum security key component of the local terminal and a quantum security key component of the opposite terminal.
In an alternative embodiment, the process of quantum key agreement includes:
exchanging negotiation parameters required by quantum key negotiation with the opposite terminal through a quantum key negotiation channel established between the quantum security key component of the local terminal and the quantum security key component of the opposite terminal;
and generating a quantum key set by using the quantum secure key component of the local terminal according to the received negotiation parameters required by the quantum key negotiation.
In an optional embodiment, the method may further comprise:
acquiring a key identifier associated with a quantum key corresponding to the first dialogue by using a quantum security key component of the home terminal;
and providing the key identification corresponding to the first session to the opposite terminal, so that the opposite terminal searches the quantum key corresponding to the key identification from the quantum key set of the opposite terminal based on the quantum security key component of the opposite terminal and mixes the searched quantum key and the original key to obtain the session key of the first session.
In an alternative embodiment, the step of negotiating with the peer the original key for the first session comprises:
calling an original encryption interface of the home terminal to generate a negotiation parameter A for the first session;
providing the negotiation parameter A to the opposite terminal through a negotiation channel of the original key so that the opposite terminal can call an original encryption interface of the opposite terminal to generate the original key of the first session and a negotiation parameter B according to the negotiation parameter A;
receiving a negotiation parameter B returned by an opposite terminal through a negotiation channel of an original key;
and calling an original encryption interface of the local terminal to generate an original key of the first session according to the negotiation parameter B.
In an optional embodiment, the method may further comprise:
negotiating with the peer an original key for the second session;
receiving a key identification corresponding to a second dialogue sent by an opposite terminal;
searching a quantum key associated with the key identifier corresponding to the second session from the quantum key set by using the quantum security key component of the home terminal, and taking the quantum key as the quantum key corresponding to the second session;
mixing an original key and a quantum key corresponding to the second session to obtain a session key of the second session;
data during the second session is encrypted using a session key for the second session.
In an alternative embodiment, the quantum security key component is externally connected with a quantum random number generator, and the method may further include:
acquiring a quantum random number from a quantum random number generator by using a quantum security key component of the home terminal;
calling a designated quantum key negotiation algorithm to carry out quantum key negotiation with an opposite terminal according to the quantum random number so as to generate a quantum key set;
the quantum key set comprises a plurality of quantum keys, the quantum keys take key identifications as indexes, and the quantum keys corresponding to the first session are contained in the quantum key set.
In an optional embodiment, the step of determining, by using a quantum security key component at the home terminal, a quantum key corresponding to the first session includes:
exchanging a negotiation parameter required by quantum key negotiation corresponding to the first session with the opposite terminal through a negotiation channel of the original key;
and constructing the quantum key corresponding to the first session by using the quantum security key component of the local terminal according to the received negotiation parameters required by the quantum key negotiation corresponding to the first session.
In an optional embodiment, the step of exchanging, with the opposite end through a negotiation channel of the original key, negotiation parameters required for quantum key negotiation corresponding to the first session includes:
generating a quantum key negotiation parameter a corresponding to a first session by using a quantum security key component of the local terminal;
transmitting the quantum key negotiation parameter a to the opposite end through the negotiation channel of the original key, so that the opposite end can construct a quantum key corresponding to the first session and a quantum key negotiation parameter b according to the quantum key negotiation parameter a by utilizing the quantum security key component of the opposite end;
and receiving a quantum key negotiation parameter b generated by a quantum security key component of the opposite end through a negotiation channel of the original key.
In an optional embodiment, the step of transferring the quantum key negotiation parameter a to the opposite end through the original key negotiation channel includes:
calling an original encryption interface of the home terminal to generate an original key negotiation parameter a' for the first session;
combining an original key negotiation parameter a' corresponding to the first session with a quantum key negotiation parameter a to obtain a negotiation parameter A;
and transmitting the negotiation parameter A to the opposite terminal through a negotiation channel of the original key.
In an optional embodiment, the step of mixing an original key and a quantum key corresponding to the first session to obtain a session key of the first session includes:
and carrying out exclusive OR processing on the original key and the quantum key corresponding to the first session to obtain a session key of the first session.
In an optional embodiment, the method may further comprise:
switching from encrypting data during the first session using a session key of the first session to encrypting data during the first session using an original key in response to the quantum encryption mode close instruction;
in the quantum encryption mode, data during the first session is encrypted using a session key for the first session.
It should be noted that in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 701, 702, etc., are merely used for distinguishing different operations, and the sequence numbers do not represent any execution order per se. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used to distinguish different sessions, etc., and do not represent a sequential order, nor do they limit the types of "first" and "second" that are different.
In addition, for the technical details in the embodiments of the data encryption method, reference may be made to the related description in the embodiments of the encryption device, and for the sake of brevity, no further description is provided herein, but this should not cause a loss of the scope of the present application.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing the steps that can be performed by the encryption device in the foregoing method embodiments when executed.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (14)

1. A quantum secure data encryption method is suitable for an encryption device, wherein a quantum secure key component is deployed in the encryption device, and the method comprises the following steps:
negotiating an original key for the first session with the opposite end in response to the data encryption request;
determining a quantum key corresponding to the first session by using a quantum security key component of the home terminal, wherein the quantum key is generated by performing quantum key negotiation between the home terminal and the opposite terminal based on the respective quantum security key components;
mixing an original key and a quantum key corresponding to the first session to obtain a session key of the first session;
data during the first session is encrypted using a session key for the first session.
2. The method of claim 1, the determining, with a quantum secure key component of a home terminal, a quantum key corresponding to the first session, comprising:
distributing quantum keys for the first session from a quantum key set by using a quantum security key component of a home terminal to obtain the quantum keys corresponding to the first session;
the quantum key set is generated by performing quantum key negotiation in advance between a quantum security key component of the local terminal and a quantum security key component of the opposite terminal.
3. The method of claim 2, the process of quantum key agreement, comprising:
exchanging negotiation parameters required by quantum key negotiation with the opposite terminal through a quantum key negotiation channel established between the quantum security key component of the local terminal and the quantum security key component of the opposite terminal;
and generating the quantum key set by using the quantum secure key component of the local terminal according to the received negotiation parameters required by the quantum key negotiation.
4. The method of claim 2, further comprising:
acquiring a key identifier associated with a quantum key corresponding to the first dialogue by using a quantum security key component of a home terminal, wherein the key identifier serves as an index for a plurality of quantum keys in the quantum key set;
and providing the key identification corresponding to the first session to an opposite terminal, so that the opposite terminal searches a quantum key corresponding to the key identification from a quantum key set of the opposite terminal based on a quantum security key component of the opposite terminal and mixes the searched quantum key and the original key to obtain a session key of the first session.
5. The method of claim 2, the negotiating an original key for a first session with a peer, comprising:
calling an original encryption interface of the home terminal to generate a negotiation parameter A for the first session;
providing the negotiation parameter A to an opposite terminal through a negotiation channel of an original key so that the opposite terminal can call an original encryption interface of the opposite terminal to generate the original key of the first session and a negotiation parameter B according to the negotiation parameter A;
receiving a negotiation parameter B returned by the opposite terminal through a negotiation channel of the original key;
and calling an original encryption interface of the local terminal to generate an original key of the first session according to the negotiation parameter B.
6. The method of claim 2, further comprising:
negotiating with the peer an original key for the second session;
receiving a key identification corresponding to a second dialogue sent by an opposite terminal;
searching a quantum key associated with the key identifier corresponding to the second session from the quantum key set by using a quantum security key component of a local terminal, and taking the quantum key as the quantum key corresponding to the second session;
mixing an original key and a quantum key corresponding to the second session to obtain a session key of the second session;
encrypting data during the second session using a session key for the second session.
7. The method of claim 2, the quantum security key component externally connected to a quantum random number generator, the method further comprising:
acquiring a quantum random number from the quantum random number generator by using a quantum security key component of a home terminal;
calling a designated quantum key negotiation algorithm to carry out quantum key negotiation with an opposite terminal according to the quantum random number so as to generate a quantum key set;
the quantum key set comprises a plurality of quantum keys, the quantum keys take key identification as an index, and the quantum key corresponding to the first session is contained in the quantum key set.
8. The method of claim 1, the determining, with a quantum secure key component of a home terminal, a quantum key corresponding to the first session, comprising:
exchanging a negotiation parameter required by quantum key negotiation corresponding to the first session with the opposite terminal through a negotiation channel of the original key;
and constructing a quantum key corresponding to the first session by using the quantum security key component of the local terminal according to the received negotiation parameters required by the quantum key negotiation corresponding to the first session.
9. The method of claim 8, wherein exchanging negotiation parameters required for quantum key negotiation corresponding to the first session with the opposite end through the negotiation channel of the original key comprises:
generating a quantum key negotiation parameter a corresponding to a first session by using a quantum security key component of the local terminal;
transmitting the quantum key negotiation parameter a to an opposite end through a negotiation channel of the original key, so that the opposite end utilizes a quantum security key component of the opposite end to construct a quantum key corresponding to the first session and a quantum key negotiation parameter b according to the quantum key negotiation parameter a;
and receiving a quantum key negotiation parameter b generated by a quantum security key component of the opposite end through the negotiation channel of the original key.
10. The method of claim 9, wherein the passing the quantum key agreement parameter a to a peer end through the original key agreement channel comprises:
calling an original encryption interface of the home terminal to generate an original key negotiation parameter a' for the first session;
combining the original key negotiation parameter a' and the quantum key negotiation parameter a corresponding to the first session to obtain a negotiation parameter A;
and transmitting the negotiation parameter A to the opposite terminal through the negotiation channel of the original key.
11. The method of claim 1, the mixing an original key and a quantum key corresponding to the first session to obtain a session key for the first session, comprising:
and carrying out exclusive OR processing on the original key and the quantum key corresponding to the first session to obtain a session key of the first session.
12. The method of claim 1, further comprising:
switching from encrypting data during the first session using a session key of the first session to encrypting data during the first session using the original key in response to a quantum encryption mode close instruction;
in the quantum encryption mode, data during the first session is encrypted using a session key of the first session.
13. An encryption device comprising a memory, a processor, a raw key component, and a quantum secure key component;
the memory is to store one or more computer instructions;
the processor, coupled with the memory, the raw key component, and the quantum secure key component, to execute the one or more computer instructions to:
negotiating an original key for a first session with a peer using the original key component in response to a data encryption request;
determining a quantum key corresponding to the first session by using a quantum security key component of the home terminal, wherein the quantum key is generated by performing quantum key negotiation between the home terminal and the opposite terminal based on the respective quantum security key components;
mixing an original key and a quantum key corresponding to the first session to obtain a session key of the first session;
data during the first session is encrypted using a session key for the first session.
14. A computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the quantum-secure data encryption method of any one of claims 1-9.
CN202111372817.8A 2021-11-19 2021-11-19 Quantum-safe data encryption method, encryption equipment and storage medium Active CN113810432B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111372817.8A CN113810432B (en) 2021-11-19 2021-11-19 Quantum-safe data encryption method, encryption equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111372817.8A CN113810432B (en) 2021-11-19 2021-11-19 Quantum-safe data encryption method, encryption equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113810432A true CN113810432A (en) 2021-12-17
CN113810432B CN113810432B (en) 2022-06-17

Family

ID=78938468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111372817.8A Active CN113810432B (en) 2021-11-19 2021-11-19 Quantum-safe data encryption method, encryption equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113810432B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582265A (en) * 2023-07-12 2023-08-11 北京信安世纪科技股份有限公司 Key negotiation method and key negotiation system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107959566A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Quantal data key agreement system and quantal data cryptographic key negotiation method
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN108696353A (en) * 2018-05-30 2018-10-23 厦门科华恒盛股份有限公司 A kind of distribution method of quantum key and system, service station
CN108964912A (en) * 2018-10-18 2018-12-07 深信服科技股份有限公司 PSK generation method, device, user equipment, server and storage medium
CN208589994U (en) * 2018-08-28 2019-03-08 中国银行股份有限公司 A kind of telecommunication transmission system based on quantum wavelength-division multiplex
US10574461B2 (en) * 2013-09-30 2020-02-25 Triad National Security, Llc Streaming authentication and multi-level security for communications networks using quantum cryptography
CN111901553A (en) * 2020-07-16 2020-11-06 南京百家云科技有限公司 Data encryption and decryption method, device, equipment, server and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10574461B2 (en) * 2013-09-30 2020-02-25 Triad National Security, Llc Streaming authentication and multi-level security for communications networks using quantum cryptography
CN107959566A (en) * 2016-10-14 2018-04-24 阿里巴巴集团控股有限公司 Quantal data key agreement system and quantal data cryptographic key negotiation method
CN108270557A (en) * 2016-12-30 2018-07-10 科大国盾量子技术股份有限公司 A kind of backbone system and its trunking method based on quantum communications
CN108696353A (en) * 2018-05-30 2018-10-23 厦门科华恒盛股份有限公司 A kind of distribution method of quantum key and system, service station
CN208589994U (en) * 2018-08-28 2019-03-08 中国银行股份有限公司 A kind of telecommunication transmission system based on quantum wavelength-division multiplex
CN108964912A (en) * 2018-10-18 2018-12-07 深信服科技股份有限公司 PSK generation method, device, user equipment, server and storage medium
CN111901553A (en) * 2020-07-16 2020-11-06 南京百家云科技有限公司 Data encryption and decryption method, device, equipment, server and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116582265A (en) * 2023-07-12 2023-08-11 北京信安世纪科技股份有限公司 Key negotiation method and key negotiation system
CN116582265B (en) * 2023-07-12 2023-10-20 北京信安世纪科技股份有限公司 Key negotiation method and key negotiation system

Also Published As

Publication number Publication date
CN113810432B (en) 2022-06-17

Similar Documents

Publication Publication Date Title
JP7164580B2 (en) Secure multi-party loss-tolerant storage and transfer of cryptographic keys for blockchain-based systems in conjunction with wallet management systems
CN104660602B (en) A kind of quantum key transfer control method and system
JP5171991B2 (en) Key agreement and transport protocol
FI111115B (en) Method and system for key exchange in a computer network
CN107040369A (en) Data transmission method, apparatus and system
CN107800539A (en) Authentication method, authentication device and Verification System
CN106411521A (en) Identity authentication methods, devices and system for quantum key distribution process
WO2007011897A2 (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks
CN103534975A (en) Discovery of security associations for key management relying on public keys
CN110808834B (en) Quantum key distribution method and quantum key distribution system
CN113643134B (en) Internet of things blockchain transaction method and system based on multi-key homomorphic encryption
CN113810432B (en) Quantum-safe data encryption method, encryption equipment and storage medium
CN115174061A (en) Message transmission method and device based on block chain relay communication network system
CA3204279A1 (en) System and method for key establishment
Miculan et al. Automated Symbolic Verification of Telegram's MTProto 2.0
CN110809000B (en) Service interaction method, device, equipment and storage medium based on block chain network
CN116132043B (en) Session key negotiation method, device and equipment
Tin et al. Protocols with security proofs for mobile applications
Sandoval et al. Pakemail: authentication and key management in decentralized secure email and messaging via pake
Boyd et al. Design and analysis of key exchange protocols via secure channel identification
Zhu et al. Provably Secure Multi-server Privacy-Protection System Based on Chebyshev Chaotic Maps without Using Symmetric Cryptography.
CN112468983B (en) Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof
CN112583580B (en) Quantum key processing method and related equipment
Arora et al. Handling Secret Key Compromise by Deriving Multiple Asymmetric Keys based on Diffie-Hellman Algorithm
CN114362927A (en) Key agreement method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40064008

Country of ref document: HK