CN114221765B - Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm - Google Patents
Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm Download PDFInfo
- Publication number
- CN114221765B CN114221765B CN202210147531.8A CN202210147531A CN114221765B CN 114221765 B CN114221765 B CN 114221765B CN 202210147531 A CN202210147531 A CN 202210147531A CN 114221765 B CN114221765 B CN 114221765B
- Authority
- CN
- China
- Prior art keywords
- access terminal
- qkd
- domain server
- quantum key
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A quantum key distribution method for fusion of a QKD network and a classical cryptographic algorithm comprises the following steps: establishing a mesh topology between the QKD network and the access terminal; issuing public and private key pairs to each QKD node in the mesh topology; the communication QKD nodes mutually initiate a virtual quantum key distribution link establishment request; quantum key encryption and decryption communication processes are realized among the communication QKD nodes. Compared with the prior art, the invention solves the problem of fusion between the quantum key distribution network and the information system based on the classical cryptographic algorithm. By using the safe encryption channel constructed based on the asymmetric cryptographic algorithm key negotiation process, the dynamic key distribution from the quantum backbone network to the terminal equipment is realized, and the problem of inconvenient offline charging is solved. By using the signature algorithm of the bidirectional authentication, the problem of identity authentication between the domain server and the terminal equipment and between the terminal equipment and the terminal equipment is solved. Replay attacks can be effectively prevented by introducing a time parameter into the algorithm.
Description
Technical Field
The invention relates to the technical field of quantum communication and cryptography, in particular to a quantum key distribution method fusing a QKD network and a classical cryptographic algorithm.
Background
Quantum Key Distribution (QKD) is based on the uncertainty, inseparable and unclonable principles in Quantum mechanics, and ensures the Distribution security of keys in a network by using Key Distribution protocols such as BB84, B92 and EPR. In recent years, due to the high security feature of the QKD technology, quantum key distribution platforms based on the QKD technology are widely used in fields with high security requirements, such as e-government affairs, finance, energy and the like.
However, in practical applications, the quantum key distribution device can only be deployed in the backbone communication network for cost reasons, and the communication path from the terminal device to the backbone network can only rely on the classical cryptographic algorithm before the quantum key distribution device is miniaturized and the cost is reduced.
The key distribution method of the mainstream quantum key distribution product in the current market for the terminal equipment from the backbone network adopts an off-line charging mode, the quantum key is charged into the secure storage equipment in advance, and the secure storage equipment is installed on the terminal equipment, so that the terminal equipment can obtain the quantum key.
The method combines quantum key offline charging and classical cryptographic algorithm, a secure channel from a terminal to a quantum key distribution backbone network is constructed by using an encryption algorithm by using a quantum key charged in advance, and then the secure channel is used for updating an online quantum key, the secure channel is usually directly protected by using a symmetric encryption algorithm, but the method has the problems that the complexity of a key negotiation process is higher due to the limitation of offline key storage space and the existence of QKD routing between two terminal devices far away from a wide-area quantum key distribution network, the method is lower in fusion degree with the conventional PKI system with a wide application range, and the market popularization difficulty is high. .
Disclosure of Invention
The invention provides a quantum key distribution method fusing a QKD network and a classical cryptographic algorithm, which aims to solve the technical defects that in the prior art, the application of quantum key offline charging from a backbone network to terminal equipment is inconvenient, the process of the current method for combining the quantum key offline charging and the classical cryptographic algorithm is complex, and the fusion degree of the current PKI system is low, and specifically comprises the following steps:
the technical scheme of the invention is realized as follows:
a quantum key distribution method fusing a QKD network and a classical cryptographic algorithm comprises the following steps:
1) establishing a mesh topology between the QKD network and the access terminal, wherein the mesh topology comprises a plurality of QKD nodes;
2) issuing public and private key pairs to each QKD node in the mesh topology;
3) the communication QKD nodes mutually initiate a virtual quantum key distribution link establishment request;
4) and quantum key encryption and decryption communication processes are realized among the communication QKD nodes, and the quantum key distribution method is completed.
Preferably, in the step 1): the QKD network includes a number of QKD servers in one-to-one correspondence with QKD nodes distributed at different geographic locations and interconnected by communication lines consisting of QKD links and classical network links to form a mesh topology in which different QKD nodes divide different network domains.
Preferably, in the step 2): the QKD server is used for realizing asymmetric cryptographic service and QKD service, the public and private key pair of each QKD server is issued by a uniform trusted server, the access terminal is connected to the QKD servers in the QKD network through the network, one access terminal can only be connected to one QKD server at the same time, and the access terminal is provided with the public and private key pair issued by the connected QKD server; the public and private key pair issuing process of each node is as follows:
step 2, installing domain server certificates for all QKD nodes and installing CA service;
step 3, the access terminals which are communicated with each other have classical password calculation capacity and support algorithms of SM2, SM3 and SM 4;
step 4, defining the access terminals which are communicated with each other as an access terminal A and an access terminal B, respectively connecting the access terminal A and the access terminal B to different domain servers, correspondingly serving as a domain server i and a domain server j, and allocating IP addresses;
step 5, using respective domain server to issue certificate for terminal connected thereto;
step 6, installing the issued certificates into the equipment respectively;
and 7, sharing the public key in the certificate between the access terminal A and the access terminal B.
Preferably, the specific process of implementing quantum key encryption and decryption communication between two communication QKD nodes in step 4) is as follows:
step 2, the access terminal B verifies the request sent by the access terminal A, extracts information, calculates response data and sends the response data back to the access terminal A, wherein the encryption, signature and signature verification algorithm uses an SM2 standard algorithm, and the Hash algorithm uses SM 3;
step 3, the access terminal A verifies the response data sent by the access terminal B and extracts the information;
step 4, the access terminal A calculates request data according to the extracted information and uses a TCP protocol to launch the request data to a domain server i;
step 5, the access terminal B calculates request data according to the extracted information and uses a TCP protocol to start a domain server j;
step 6, the domain server i verifies the identity of the access terminal A and extracts Token;
step 7, the domain server j verifies the identity of the access terminal B and extracts Token;
step 8, the domain server i and the domain server j confirm whether the Token is consistent;
step 9, the domain server uses SM2 algorithm to negotiate session key with the device through TCP connection;
step 10, the domain server i and the domain server j use a decoy state protocol to distribute quantum keys;
step 11, the domain server i encrypts the quantum key by using the session key, and sends the encrypted quantum key to the access terminal A by using the established TCP channel;
step 12, the domain server j encrypts the quantum key by using the session key, and sends the encrypted quantum key to the access terminal B by using the established TCP channel;
step 13, the access terminal A uses the obtained quantum key to encrypt information and sends the information and the key identification to the access terminal B;
and step 14, the access terminal B finds the quantum encryption key according to the identifier and decrypts the information.
Compared with the prior art, the invention has the following beneficial effects:
the quantum key distribution method based on the fusion of the QKD network and the classical cryptographic algorithm solves the problem of the fusion between the quantum key distribution network and an information system based on the classical cryptographic algorithm. By using the safe encryption channel constructed based on the asymmetric cryptographic algorithm key negotiation process, the dynamic key distribution from the quantum backbone network to the terminal equipment is realized, and the problem of inconvenient offline charging is solved. By using the signature algorithm of the bidirectional authentication, the problem of identity authentication between the domain server and the terminal equipment and between the terminal equipment and the terminal equipment is solved. Replay attacks can be effectively prevented by introducing a time parameter into the algorithm.
Drawings
FIG. 1 is a schematic diagram of a QKD network of the present invention;
FIG. 2 is a schematic diagram of public and private key pair issuance according to the present invention;
FIG. 3 is a flow chart of virtual quantum key distribution link establishment in accordance with the present invention;
fig. 4 is a network topology diagram according to an embodiment of the present invention.
Detailed Description
The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which embodiments of the invention are shown.
As shown in fig. 1, a quantum key distribution method with QKD network fused with classical cryptographic algorithm mainly includes: QKD networks and access terminals. The QKD network is comprised primarily of QKD servers distributed at different geographic locations and interconnected by communication lines comprised of QKD links and classical network links to form a mesh topology.
Furthermore, as shown in fig. 2, the QKD server includes two main functions, namely asymmetric cryptographic service and QKD service, public and private key pairs of all the QKD servers are issued by a unified trusted server, the access terminal is connected to the QKD servers in the QKD network through a private network or the internet, one access terminal can only be connected to one QKD server at the same time, and the access terminal is provided with the public and private key pair issued by the QKD server.
Defining a QKD network S consisting of n QKD servers, having:
two-domain service in optional QKD serverDevice for cleaning the skinDomain server,Defining a set of access terminals、,Respectively, to a domain serverDomain serverAll access terminals of the domain serverAnd,the formed network is defined as a key distribution domain, wherein the domain serverIs a domain server of the key distribution domain, the domain serverHas a public and private key pair。
The key distribution domain comprises two types of device domain servers and an access terminal, and defines a device identification ID in the key distribution domain, wherein the ID is formed by splicing two parts, one part is a domain identificationAnd part is node identificationI.e. byThe symbol "|" represents concatenation, the device identifiers of the domain servers are all zero, the access terminal domain identifiers in the same key distribution domain are completely the same, and the node identifiers in different domains may be the same.
Selecting access terminals、Defining the equipment identification of the access terminal A asThe device identification of the access terminal B isAn access terminalHas a public and private key pairAnd domain server public keyAn access terminalTerminal B has public and private key pairAnd domain server public key。
The encryption algorithm is defined as:
representing a usage keyThe encryption is carried out in such a way that,representing the plaintext prior to the encryption thereof,representing the ciphertext after encryption. The decryption algorithm is defined as:
representing usage keysDecryption is performed. Defining a signature algorithm as,Representing the use of private keysThe signature is a signature of the received data,data representing the use of the signature is stored,representing the generated signature data. Defining a signature verification algorithm as follows:
public key for indicating usageThe label is checked, and the label is checked,the signature data which represents the signature needing to be checked, the Text represents the original data used by the signature, and the checking result has two types, namely P passing or F not passing. Defining the HMAC algorithm as:
representing a usage keyThe calculated HMAC algorithms include but are not limited to HMACMD5, HMACSHA256, HMACSM4, etc.,message data representing the inputs to the algorithm.
Definition is defined by access terminal A, domain serverDomain serverThe link formed by the access terminal B is a key distribution link between the access terminal A and the access terminal B, and the access terminal A and the domain server are physically connectedAccess terminal B and domain serverBetween them is classical network link, domain serverDomain serverThe QKD link is established, and the key distribution link establishing process between the access terminal a and the access terminal B is logically connected as follows:
any one of the access terminal a and the access terminal B can be used as an initiator, and assuming that the access terminal a is the initiator, the access terminal a generates a random numberThen, a request for establishing a quantum key distribution link is initiated to the access terminal B, and the request carries data:
Wherein the content of the first and second substances,for the time parameter to protect against replay attacks, the access terminal B uses the private keyDecrypting the request data sent by the access terminal A, carrying out identity authentication and integrity verification of the access terminal A through the signature data request data, generating a random number after successful verification by adopting a Hash algorithm such as SM3, SHA-1 or SHA-256 and the likeAnd transmits response data to the access terminal a:
Access terminal a uses the private keyDecrypting the request data sent by the access terminal B, carrying out identity authentication and integrity verification of the access terminal B through the signature data request data, and enabling the access terminal A and the access terminal B to respectively send the request data to the domain server of the domain where the access terminal A and the access terminal B are locatedDomain serverInitiating a request, establishing a password distribution link, and defining request data as follows:
domain serverDomain serverRespectively carrying out identity authentication on the access terminal A and the access terminal B, and decrypting the transmitted data to obtainData, domain serverDomain serverSecure channel confirmation through QKDData consistency, domain serverDomain serverWith access terminal A, connectEstablishing a secure channel between the access terminals B using a DH algorithm or a modified DH algorithm, a domain serverDomain serverThe quantum key is negotiated through a QKD protocol and is respectively pushed to an access terminal A and an access terminal B through a secure channel between the access terminal A and the access terminal B, quantum key information comprises two parts, a key identifier and a key value, and the quantum key information is specifically defined as follows:
the access terminal A and the access terminal B use the obtained quantum key to carry out safe communication, and the key identification information is attached to the communication data, and after the session is ended, the access terminal A and the access terminal B are actively disconnected to the domain server、And releasing the resources.
Further, whenAnd then, the access terminal A and the access terminal B are connected to the same domain server, and at this time, a virtual quantum key distribution link does not need to be constructed, the access terminal A and the access terminal B directly use a DH algorithm or an improved DH algorithm to send a request for establishing a secure channel to the domain server, and the quantum key is directly pulled from the domain server.
To ensure the security of the communication between access terminal a and access terminal B, a one-time pad algorithm may be employed.
The key cloud service layer also provides a quantum key management interface, including but not limited to operations of generating, finding, using, destroying, etc. a quantum key, which is derived from the virtual QKD network.
The general method steps of the invention include:
1) establishing a mesh topology between the QKD network and the access terminal, wherein the mesh topology comprises a plurality of QKD nodes;
2) issuing public and private key pairs to each QKD node in the mesh topology;
3) the communication QKD nodes mutually initiate a virtual quantum key distribution link establishment request;
4) and quantum key encryption and decryption communication processes are realized among the communication QKD nodes, and the quantum key distribution method is completed.
Referring to fig. 3-4, the embodiment of the present invention includes the following specific steps:
step 2, dividing different network domains for different nodes in the QKD network;
step 3, using a trusted CA server to create domain server certificates for all QKD nodes;
step 4, installing domain server certificates for all QKD nodes and installing CA service;
step 5, preparing two network access terminals A and B with classical password computing capability, and requiring to at least support SM2, SM3 and SM4 algorithms;
step 6, connecting A, B to different domain servers, domain server i and domain server j respectively as shown in fig. 4, and allocating the IP addresses;
step 7, using the domain server to respectively issue certificates for the access terminal A and the access terminal B connected to the domain server;
step 8, the issued certificates are respectively installed in the access terminal A and the access terminal B;
step 9, sharing the public key in the certificate between the access terminal A and the access terminal B;
step 10, the access terminal a actively initiates a request for establishing a virtual quantum key distribution link to the access terminal B, and the following process is shown in fig. 3;
step 11, generating information such as random numbers, time parameters and the like by the access terminal A, calculating request data by using a formula 1, and sending the request data to the access terminal B, wherein the encryption and signature algorithm uses an SM2 standard algorithm, and the Hash algorithm uses SM 3;
step 12, the access terminal B verifies the request sent by the access terminal A, extracts the information, and uses (formula 2) to calculate response data and sends the response data back to the access terminal A, wherein, the encryption, signature and signature verification algorithms use SM2 standard algorithm, and the Hash algorithm uses SM 3;
step 13, the access terminal A verifies the response data sent by the access terminal B and extracts the information;
step 14, the access terminal A calculates the request data by using (formula 3) according to the extracted information, and starts to a domain server i by using a TCP (transmission control protocol);
step 14, the access terminal B calculates the request data by using (formula 4) according to the extracted information, and starts to a domain server j by using a TCP (transmission control protocol);
step 15, the domain server i verifies the identity of the access terminal A and extracts Token;
step 16, the domain server j verifies the identity of the access terminal B and extracts Token;
step 17, the domain server i and the domain server j confirm whether the Token is consistent;
step 18, the domain server negotiates a session key with the device through the TCP connection using the SM2 algorithm;
step 19, the domain server i and the domain server j use a decoy state protocol to distribute the quantum key;
step 20, the domain server i encrypts the quantum key by using the session key, and sends the encrypted quantum key to the access terminal A by using the established TCP channel;
step 21, the domain server j encrypts the quantum key by using the session key, and sends the encrypted quantum key to the access terminal B by using the established TCP channel;
step 21, the access terminal A uses the obtained quantum key to encrypt information and sends the information and the key identification to the access terminal B;
and step 22, the access terminal B finds the encryption key according to the identifier and decrypts the information.
The invention solves the problem of fusion between a quantum key distribution network and an information system based on a classical cryptographic algorithm by combining the structure and the specific process of the invention. By using the safe encryption channel constructed based on the asymmetric cryptographic algorithm key negotiation process, the dynamic key distribution from the quantum backbone network to the terminal equipment is realized, and the problem of inconvenient offline charging is solved. By using the signature algorithm of the bidirectional authentication, the problem of identity authentication between the domain server and the terminal equipment and between the terminal equipment and the terminal equipment is solved. Replay attacks can be effectively prevented by introducing a time parameter into the algorithm.
Claims (1)
1. A quantum key distribution method for fusing a QKD network and a classical cryptographic algorithm is characterized by comprising the following steps:
1) establishing a mesh topology between the QKD network and the access terminal, wherein the mesh topology comprises a plurality of QKD nodes;
2) issuing public and private key pairs to each QKD node in the mesh topology;
3) quantum key distribution link establishment requests are mutually initiated among the communication QKD nodes;
4) the quantum key encryption and decryption communication process is realized among the communication QKD nodes, the quantum key distribution method is completed,
in the step 1): the QKD network comprises a plurality of QKD servers, the QKD servers correspond to the QKD nodes one by one, the QKD servers are distributed at different geographical positions and are connected with each other through a communication line formed by QKD links and classical network links to form a mesh topology, different network domains are divided according to different QKD nodes in the mesh topology,
in the step 2): the QKD server is used for realizing asymmetric cryptographic service and QKD service, the public and private key pair of each QKD server is issued by a uniform trusted server, the access terminal is connected to the QKD servers in the QKD network through the network, one access terminal can only be connected to one QKD server at the same time, and the access terminal is provided with the public and private key pair issued by the connected QKD server; the public and private key pair issuing process of each node is as follows:
step 2-1, a trusted CA server is used for creating domain server certificates for all QKD nodes;
step 2-2, installing domain server certificates for all QKD nodes and installing CA service;
2-3, the access terminals which are communicated with each other have classical password calculation capacity and support algorithms of SM2, SM3 and SM 4;
step 2-4, the access terminals which are communicated with each other are defined as an access terminal A and an access terminal B, the access terminal A and the access terminal B are respectively connected to different domain servers, are correspondingly a domain server i and a domain server j, and are allocated with IP addresses;
step 2-5, using respective domain server to issue certificate for terminal connected thereto;
step 2-6, respectively installing the issued certificates into the equipment;
step 2-7, sharing the public key in the certificate between the access terminal A and the access terminal B,
the specific process of realizing quantum key encryption and decryption communication between the two communication QKD nodes in the step 4) is as follows:
step 4-1, generating random numbers and time parameter information by the access terminal A, calculating request data and sending the request data to the access terminal B, wherein the encryption and signature algorithm uses an SM2 standard algorithm, and the Hash algorithm uses SM 3;
step 4-2, the access terminal B verifies the request sent by the access terminal A, extracts information, calculates response data and sends the response data back to the access terminal A, wherein the encryption, signature and signature verification algorithm uses an SM2 standard algorithm, and the Hash algorithm uses SM 3;
step 4-3, the access terminal A verifies the response data sent by the access terminal B and extracts the information;
step 4-4, the access terminal A calculates request data according to the extracted information and uses a TCP protocol to launch the request data to a domain server i;
step 4-5, the access terminal B calculates request data according to the extracted information and uses a TCP protocol to start a domain server j;
step 4-6, the domain server i verifies the identity of the access terminal A and extracts Token;
step 4-7, the domain server j verifies the identity of the access terminal B and extracts Token;
step 4-8, the domain server i and the domain server j confirm whether the Token is consistent;
step 4-9, the domain server uses SM2 algorithm to negotiate session key with the device through TCP connection;
4-10, the domain server i and the domain server j use a decoy state protocol to distribute the quantum key;
step 4-11, the domain server i encrypts the quantum key by using the session key, and sends the encrypted quantum key to the access terminal A by using the established TCP channel;
step 4-12, the domain server j encrypts the quantum key by using the session key, and sends the encrypted quantum key to the access terminal B by using the established TCP channel;
step 4-13, the access terminal A uses the obtained quantum key encryption information to send the information and the key identification to the access terminal B;
and 4-14, the access terminal B finds the quantum encryption key according to the identifier and decrypts the information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210147531.8A CN114221765B (en) | 2022-02-17 | 2022-02-17 | Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210147531.8A CN114221765B (en) | 2022-02-17 | 2022-02-17 | Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114221765A CN114221765A (en) | 2022-03-22 |
CN114221765B true CN114221765B (en) | 2022-05-24 |
Family
ID=80709270
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210147531.8A Active CN114221765B (en) | 2022-02-17 | 2022-02-17 | Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114221765B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115426106B (en) * | 2022-08-26 | 2023-05-23 | 北京海泰方圆科技股份有限公司 | Identity authentication method, device and system, electronic equipment and storage medium |
CN116707807B (en) * | 2023-08-09 | 2023-10-31 | ***量子科技有限公司 | Distributed zero-trust micro-isolation access control method and system |
CN117579276B (en) * | 2024-01-16 | 2024-03-29 | 浙江国盾量子电力科技有限公司 | Quantum encryption method for feeder terminal and quantum board card module |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107359994A (en) * | 2017-07-19 | 2017-11-17 | 国家电网公司 | The integrated encryption device that a kind of quantum cryptography blends with classical password |
CN111490871A (en) * | 2020-03-13 | 2020-08-04 | 南京南瑞国盾量子技术有限公司 | SM9 key authentication method and system based on quantum key cloud and storage medium |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8340298B2 (en) * | 2006-04-18 | 2012-12-25 | Magiq Technologies, Inc. | Key management and user authentication for quantum cryptography networks |
CN107040378A (en) * | 2017-06-01 | 2017-08-11 | 浙江九州量子信息技术股份有限公司 | A kind of key dispatching system and method based on Multi-user Remote Communication |
CN109842485B (en) * | 2017-11-26 | 2021-07-20 | 成都零光量子科技有限公司 | Centralized quantum key service network system |
CN109194477B (en) * | 2018-11-12 | 2024-04-02 | 中共中央办公厅电子科技学院 | Access node device for quantum secret communication network system and communication network system comprising the same |
CN109639407A (en) * | 2018-12-28 | 2019-04-16 | 浙江神州量子通信技术有限公司 | A method of information is encrypted and decrypted based on quantum network |
CN109818756A (en) * | 2019-03-13 | 2019-05-28 | 北京信息科技大学 | A kind of identity authorization system implementation method based on quantum key distribution technology |
-
2022
- 2022-02-17 CN CN202210147531.8A patent/CN114221765B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107359994A (en) * | 2017-07-19 | 2017-11-17 | 国家电网公司 | The integrated encryption device that a kind of quantum cryptography blends with classical password |
CN111490871A (en) * | 2020-03-13 | 2020-08-04 | 南京南瑞国盾量子技术有限公司 | SM9 key authentication method and system based on quantum key cloud and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114221765A (en) | 2022-03-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN114221765B (en) | Quantum key distribution method for fusion of QKD network and classical cryptographic algorithm | |
WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
WO2017185692A1 (en) | Key distribution and authentication method, apparatus and system | |
CN107919956A (en) | End-to-end method for protecting under a kind of internet of things oriented cloud environment | |
CN111756529B (en) | Quantum session key distribution method and system | |
CN102318258A (en) | Identity based authenticated key agreement protocol | |
JP2014529238A (en) | System and method for providing secure multicast intra-cluster communication | |
CN113630248B (en) | Session key negotiation method | |
CN113037499B (en) | Block chain encryption communication method and system | |
CN112637136A (en) | Encrypted communication method and system | |
TWI760546B (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
CN114285571A (en) | Method, gateway device and system for using quantum key in IPSec protocol | |
CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
CN110581829A (en) | Communication method and device | |
CN113676448B (en) | Offline equipment bidirectional authentication method and system based on symmetric key | |
CN109995723B (en) | Method, device and system for DNS information interaction of domain name resolution system | |
CN114143050A (en) | Video data encryption system | |
CN116684093B (en) | Identity authentication and key exchange method and system | |
EP3340530B1 (en) | Transport layer security (tls) based method to generate and use a unique persistent node identity, and corresponding client and server | |
CN114826593B (en) | Quantum security data transmission method and digital certificate authentication system | |
CN116232759A (en) | Mist-blockchain assisted smart grid aggregation authentication method | |
Dey et al. | An efficient dynamic key based eap authentication framework for future ieee 802.1 x wireless lans | |
CN116865966B (en) | Encryption method, device and storage medium for generating working key based on quantum key | |
WO2023151427A1 (en) | Quantum key transmission method, device and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |