CN114448633B - File encryption method and device based on quantum key, electronic equipment and medium - Google Patents

File encryption method and device based on quantum key, electronic equipment and medium Download PDF

Info

Publication number
CN114448633B
CN114448633B CN202210362718.XA CN202210362718A CN114448633B CN 114448633 B CN114448633 B CN 114448633B CN 202210362718 A CN202210362718 A CN 202210362718A CN 114448633 B CN114448633 B CN 114448633B
Authority
CN
China
Prior art keywords
file
key
encryption key
request
file encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210362718.XA
Other languages
Chinese (zh)
Other versions
CN114448633A (en
Inventor
詹俊锐
邝礼刚
潘羡忠
丁松燕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Yiketeng Information Technology Co ltd
Original Assignee
Nanjing Yiketeng Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Yiketeng Information Technology Co ltd filed Critical Nanjing Yiketeng Information Technology Co ltd
Priority to CN202210362718.XA priority Critical patent/CN114448633B/en
Publication of CN114448633A publication Critical patent/CN114448633A/en
Application granted granted Critical
Publication of CN114448633B publication Critical patent/CN114448633B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a quantum key-based file encryption method and device, electronic equipment and a medium. According to the scheme, the terminal equipment and the file key management system based on the quantum key distribution network can safely distribute the symmetric key, the symmetric key is used for establishing the safe channel, and the file encryption key is issued to the terminal equipment through the safe channel to encrypt the file, so that the file storage safety is improved.

Description

File encryption method and device based on quantum key, electronic equipment and medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a quantum key based file encryption method and apparatus, an electronic device, and a computer-readable storage medium.
Background
With the rapid development of information communication technology, the degree of informatization of the society is changing day by day, the electronic collection and storage of national, institutional and personal information are gradually completed, and with the transmission and storage of the information in the network space, the demand for the safety guarantee of the information is increasing day by day, and the facing safety threat is also becoming severe day by day.
At present, for the protection of electronic files in various industries, identity authentication and key agreement issuing are basically completed based on an asymmetric cryptographic algorithm, the issued key is used for encrypting and storing the electronic files, and the file encryption key and the encrypted files are both stored on a terminal. The problem brought by the method is that on one hand, the safe storage of the file encryption key is a problem, and on the other hand, the long life cycle of the asymmetric key is used, so that the relevance exists between data samples encrypted by the file encryption key based on asymmetric key negotiation, and the relevance is easy to be broken by quantum computation.
Therefore, there is a need to address the problems of the prior art.
Disclosure of Invention
The application aims to provide a quantum key-based file encryption method, a quantum key-based file encryption device, an electronic device and a computer-readable storage medium, wherein a symmetric key is safely distributed between a terminal device and a file key management system (server device) based on a quantum key distribution network, a secure channel is established by using the symmetric key, the file encryption key is issued to the terminal device through the secure channel for encrypting a file, and the file encryption key and the encrypted file are respectively controlled by different systems, so that the problem of file information leakage caused by unilateral data leakage is solved.
According to a first aspect of the present application, an embodiment of the present application provides a quantum key-based file encryption method, for a terminal device, the method including:
sending an authentication access request to a file key management system, and receiving an authentication access request response from the file key management system; the file key management system is connected with the terminal equipment in an authenticated manner through a quantum key distribution network;
sending a file key generation request to a file key management system, and receiving a file key generation request response from the file key management system, wherein the file key generation request response comprises a file encryption key and a file identifier;
based on the file encryption key and the file identification, performing encryption operation on the file to be encrypted to obtain an encrypted file;
responding to the opening operation aiming at the encrypted file, sending a file key inquiry request to a file key management system based on a file identifier, and receiving a file key inquiry request response from the file key management system, wherein the file key inquiry request response contains a file encryption key;
the encrypted file is decrypted based on the obtained file encryption key.
According to a second aspect of the present application, an embodiment of the present application provides a quantum key-based file encryption method, for a terminal device, the method including:
sending a file encryption key request to a mobile storage medium, and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key response comprises the file key response message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is in authenticated connection with terminal equipment through a quantum key distribution network;
sending a file key decryption request to the mobile storage medium aiming at the file key response message, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message;
analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message;
sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium to the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext;
and sending the file to be encrypted to the mobile storage medium, and receiving the encrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
According to a third aspect of the present application, an embodiment of the present application provides a quantum key-based file encryption method for a removable storage medium, the method including:
receiving a file encryption key request from terminal equipment, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted;
encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment;
receiving a file decryption key request from the terminal equipment, wherein the file decryption key request comprises a file encryption key response ciphertext message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is connected with the terminal equipment through a quantum key distribution network in an authenticated manner;
retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key;
based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment;
receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index;
based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key;
and receiving the file to be encrypted provided by the terminal equipment, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal equipment.
According to a fourth aspect of the present application, an embodiment of the present application provides a quantum key-based file encryption method for a file key management system, the method including:
receiving a file key generation request from a terminal device, wherein the file key management system is connected with the terminal device in an authenticated manner through a quantum key distribution network;
acquiring random numbers generated by a quantum random number generator and using the random numbers as a plaintext file encryption key;
encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext;
encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message;
and sending the file key response to the terminal equipment based on the file encryption key response ciphertext message.
According to a fifth aspect of the present application, an embodiment of the present application provides a quantum key-based file encryption apparatus for a terminal device, the apparatus including:
the message encryption transceiving module is used for sending a file encryption key request to the mobile storage medium and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
the system comprises a key request transceiving module, a file key management system and a terminal device, wherein the key request transceiving module is used for sending a file key request to the file key management system aiming at a file encryption key request ciphertext message and receiving a file key response from the file key management system, the file key response comprises the file key response message, a device identifier of a mobile storage medium and an encryption key index, and the file key management system is in authenticated connection with the terminal device through a quantum key distribution network;
the decryption message receiving and sending module is used for sending a file decryption key request to the mobile storage medium according to the file encryption key response message and receiving a file decryption key request response from the mobile storage medium to obtain a plaintext file encryption key response message;
the analysis module is used for analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message;
the decryption key transceiving module is used for sending a file encryption key ciphertext to the mobile storage medium and receiving a response aiming at the file encryption key ciphertext from the mobile storage medium; the mobile storage medium obtains a plaintext file encryption key based on the file encryption key ciphertext;
and the file encryption transceiving module is used for sending the file to be encrypted to the mobile storage medium and receiving the encrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
According to a sixth aspect of the present application, an embodiment of the present application provides a quantum key based file encryption apparatus for a removable storage medium, the apparatus including:
the plaintext message receiving module is used for receiving a file encryption key request from the terminal equipment, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted;
the plaintext message encryption module is used for encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message and returning the file encryption key request ciphertext message to the terminal equipment;
a ciphertext message receiving module, configured to receive a decrypt file key request from the terminal device, where the decrypt file key request includes a file encrypt key response ciphertext message, a device identifier of the mobile storage medium, and an encrypt key index, and the file key management system is authenticated and connected to the terminal device through a quantum key distribution network;
the first key retrieval module is used for retrieving a preset quantum key set based on the equipment identification and the encryption key index of the mobile storage medium so as to obtain a corresponding quantum key;
the ciphertext message decryption module is used for decrypting the file encryption key response ciphertext message based on the obtained corresponding quantum key to obtain a plaintext file encryption key response message and returning the plaintext file encryption key response message to the terminal equipment;
the second key retrieval module is used for receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext and obtaining a corresponding quantum key based on the encryption key index;
the ciphertext decryption module is used for decrypting the file encryption key ciphertext to obtain a plaintext file encryption key based on the obtained corresponding quantum key;
and the file encryption module is used for receiving the file to be encrypted provided by the terminal equipment, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal equipment.
According to a seventh aspect of the present application, an embodiment of the present application provides a quantum key-based file encryption apparatus for a file key management system, the apparatus including:
the system comprises a key request module, a file key management module and a data processing module, wherein the key request module is used for receiving a file key generation request from a terminal device, and the file key management system is connected with the terminal device through a quantum key distribution network in an authenticated manner;
the key generation module is used for acquiring random numbers generated by the quantum random number generator and using the random numbers as a plaintext file encryption key;
the ciphertext generating module is used for encrypting the plaintext file encryption key based on the quantum key provided by the preset quantum key set to obtain a file encryption key ciphertext;
the message generation module is used for encrypting the file encryption key ciphertext and the file identifier based on the quantum key provided by the preset quantum key set so as to obtain a file encryption key response ciphertext message;
and the key request response module is used for responding the ciphertext message based on the file encryption key and sending a file key response to the terminal equipment.
According to an eighth aspect of the present application, an embodiment of the present application provides an electronic device including a memory and a processor; the memory stores a computer program, and the processor is configured to execute the computer program in the memory to perform the quantum key-based file encryption method according to any embodiment of the present application.
According to a ninth aspect of the present application, an embodiment of the present application provides a computer-readable storage medium, which stores a computer program, and the computer program is suitable for being loaded by a processor to execute the quantum-key-based file encryption method according to any one of the embodiments of the present application.
Embodiments of the present application provide a method, an apparatus, an electronic device, and a computer-readable storage medium for file encryption based on a quantum key, which securely distribute a symmetric key between a terminal device and a file key management system (server device) based on a quantum key distribution network, establish a secure channel using the symmetric key, and issue a file encryption key to the terminal device through the secure channel for encrypting a file, and use the symmetric key in a "one-time pad" manner based on the secure channel, the keys are unrelated, thereby improving the security of file storage. In addition, the method and the device realize the separation of the key and the data, namely the file encryption key and the encrypted file are respectively controlled by different systems, so that the problem of file information leakage caused by single-party data leakage is solved. In addition, the application also realizes double policy control of file encryption and decryption, namely the generation and issuing policies of the file encryption key are controlled and executed by the file key management system, and the decryption policy of the file is controlled and executed by an application terminal (terminal equipment).
Drawings
The technical solution and other advantages of the present application will become apparent from the detailed description of the embodiments of the present application with reference to the accompanying drawings.
Fig. 1 is a schematic view of a scene of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 2 is a schematic flowchart illustrating steps of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 3 is a schematic step diagram of the preceding step of step S110 shown in fig. 2.
Fig. 4 is a schematic diagram illustrating an exemplary step subsequent to step S160 shown in fig. 2.
Fig. 5 is a schematic diagram illustrating another exemplary step sequence of the steps subsequent to step S160 shown in fig. 2.
Fig. 6 is a schematic step diagram of a step subsequent to step S186 shown in fig. 5.
Fig. 7 is a flowchart illustrating steps of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 8 is a step diagram illustrating a preamble of step S210 shown in fig. 7.
Fig. 9 is a step diagram of a step subsequent to step S280 shown in fig. 7.
Fig. 10 is another exemplary step diagram of the preamble of step S210 shown in fig. 7.
Fig. 11 is a flowchart illustrating steps of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 12 is a schematic step diagram of a step subsequent to step S350 shown in fig. 11.
Fig. 13 is a step diagram of a step subsequent to step S362 shown in fig. 12.
Fig. 14 is a step diagram illustrating a preamble of step S310 shown in fig. 11.
Fig. 15 is a signaling flowchart of a first part of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 16 is a signaling flowchart of a second part of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 17 is a schematic diagram of a ciphertext file format.
Fig. 18 is a signaling flowchart of a third part of a quantum key-based file encryption method according to an embodiment of the present application.
Fig. 19 is a flowchart illustrating steps of a quantum-key-based file encryption method according to an embodiment of the present application.
Fig. 20 is a signaling flow diagram of the quantum key-based file encryption method shown in fig. 19.
Fig. 21 is a schematic diagram of an architecture of quantum-key-based file encryption according to an embodiment of the present application.
Fig. 22 is a schematic diagram of an architecture of quantum-key-based file encryption according to another embodiment of the present application.
Fig. 23 is a schematic diagram of an architecture of quantum-key-based file encryption according to another embodiment of the present application.
Fig. 24 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a quantum key-based file encryption method and related equipment, and the related equipment can comprise a quantum key-based file encryption device, electronic equipment and a computer-readable storage medium. The quantum key-based file encryption device may be specifically integrated in an electronic device, where the electronic device may be a terminal device or a server device.
It can be understood that the file encryption method based on the quantum key of the embodiment may be executed on a terminal device, may also be executed on a server device, and may also be executed by both the terminal device and the server device. The above examples should not be construed as limiting the present application. It should be noted that the file key management system described below may be a server cluster or a distributed system formed by a plurality of physical servers.
For example, a terminal device and a server device jointly execute a quantum key-based file encryption method. The file encryption method based on the quantum key comprises terminal equipment and server equipment. The terminal device and the server device may be connected through a network, such as a wired network connection or a wireless network connection, wherein the quantum key-based file encryption apparatus may be integrated in the terminal device or the server device. The terminal device may include a tablet Computer, a notebook Computer, a Personal Computer (PC), or the like. The terminal device can also be provided with a client, and the client can be an application program client or a browser client and the like. The server device may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like. The application discloses a quantum key-based file encryption method or device, wherein a plurality of servers can be combined into a block chain, and the servers are nodes on the block chain.
The quantum key based file encryption method or apparatus disclosed herein supports quantum key distribution technology (QKD technology). The Quantum Key Distribution (QKD for short) technology utilizes Quantum mechanical characteristics to ensure communication security. It enables both communicating parties to generate and share a random, secure key to encrypt and decrypt messages.
The file encryption method based on the quantum key provided by the embodiment of the application can be applied to the scene shown in fig. 1. The application terminal 10 shown in fig. 1 may operate on the above-described terminal device, and the file key management system 20 may operate on the above-described server device. Also, the file key management system 20 is connected to a service end (QKD-S) of the QKD network (e.g., QKD gateway a shown in fig. 1), the application terminal 10 is connected to a quantum secure U-shield 30 (e.g., the quantum secure U-shield 30 can be connected to the application terminal), and the quantum secure U-shield 30 can be connected to a quantum key populating station 40 for populating the key. The Quantum Key charging site 40 is connected to a client (QKD-C) of a Quantum Key Distribution (QKD for short) network (such as a QKD gateway B shown in fig. 1), and the QKD network can realize that Quantum keys of the client and the server are always consistent. The file key management system 20 may be equipped with a quantum random number generator 60 for generating file encryption keys. The quantum secure U-shield 30 transfers the quantum key from the quantum key populating site 40 to the quantum secure U-shield 30 so that there is a symmetric quantum key between the quantum secure U-shield 30 and the file key management system 20. When the quantum security U shield 30 accesses the application terminal 10, the application terminal 10 can utilize the symmetric quantum key of the quantum security U shield 30 to complete the processes of identity authentication, secure channel establishment, file encryption key issuing, and the like with the file key management system 20.
Furthermore, part of the functionality of the quantum secure U-shield (hereinafter referred to as mobile storage medium) described herein may also be integrated in the terminal device. Further, the application terminal and the quantum security U-shield may be integrated in the same terminal device, but are not limited thereto.
As shown in fig. 2, an embodiment of the present application provides a quantum key-based file encryption method for a terminal device, where the method includes: step S110, sending a file encryption key request to a mobile storage medium, and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index; step S120, aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key response comprises the file key response message, the equipment identifier of the mobile storage medium and an encryption key index, and the file key management system is connected with the terminal equipment through a quantum key distribution network in an authenticated manner; step S130, aiming at the file key response message, sending a file key decryption request to the mobile storage medium, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message; step S140, analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message; step S150, sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium for the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext; step S160, sending the file to be encrypted to the mobile storage medium, and receiving the encrypted file generated based on the plaintext file encryption key and returned by the mobile storage medium.
By executing steps S110 to S160, the application realizes that the quantum key is used to encrypt and decrypt the message transmitted between the terminal device and the file key management system, so as to achieve the purpose of a secure channel, and the file to be encrypted of the terminal device is encrypted based on the file encryption key provided by the file key management system.
In an embodiment, in addition to performing steps S110 to S160, before the sending of the file encryption key request to the removable storage medium in step S110, the method further includes: step S101, sending an encryption authentication request to a mobile storage medium, and receiving an encryption authentication request response from the mobile storage medium, wherein the encryption authentication request contains a plaintext authentication request message; the encryption authentication request response comprises an authentication request ciphertext message, the equipment identification of the mobile storage medium and an encryption key index; step S102, aiming at an authentication request ciphertext message, sending an authentication request to a file key management system, and receiving an authentication response from the file key management system, wherein the authentication response comprises an authentication response message, a device identifier of a mobile storage medium and an encryption key index; step S103, sending a decryption authentication response request to the removable storage medium for the authentication response packet, and receiving a response of the decryption authentication response request from the removable storage medium, so as to obtain a plaintext authentication response packet. In particular, reference is made to fig. 3.
In this embodiment, the authenticated connection between the terminal device and the file key management system is realized by performing steps S101 to S103.
In an embodiment, in addition to performing steps S110 to S160, after step S160, that is, after the sending of the file encryption key ciphertext to the mobile storage medium and receiving a response to the file encryption key ciphertext from the mobile storage medium, the method further includes: step S171, sending a file encryption key deletion instruction to the mobile storage medium; step S172, receiving a response to the file encryption key deletion instruction from the removable storage medium. In particular, reference is made to fig. 4.
In this embodiment, by performing steps S171 to S172, it can be achieved that the terminal device (e.g., application terminal) and the mobile storage medium (e.g., quantum security U shield) do not retain the file encryption key, so as to ensure the separation of the file encryption key and the file data, the file data is managed by the user or a third party system, the file encryption keys are managed by the file key management system and do not interfere with each other, and a provisional application is performed when the user needs to use the file encryption key, so as to reduce the possibility of data leakage and cracking.
Further, step S160, namely, the sending the file to be encrypted to the mobile storage medium, further includes: and sending attribute data aiming at the file to be encrypted to the mobile storage medium, wherein the attribute data is used for indicating a decryption strategy of the encrypted file.
In this embodiment, by executing the above steps, it can be realized that when a file is encrypted, a user can set a private decryption policy to control the decryption reading authority of a requester, so that the flexibility of the decryption policy can be increased, the control granularity can be improved, and the system pressure caused when the file key management system centrally manages the decryption policy can be reduced.
In an embodiment, in addition to executing steps S110 to S160, after step S160, that is, sending the file to be encrypted to the removable storage medium and receiving the encrypted file generated based on the plaintext file encryption key and returned by the removable storage medium, the method further includes: step S181 of sending a file encryption key request to a removable storage medium, and receiving a file encryption key request response from the removable storage medium, wherein the file encryption key request includes a plaintext file encryption key request packet for an encrypted file, and the file encryption key request response includes a file encryption key request ciphertext packet, an apparatus identifier of the removable storage medium, and an encryption key index; step S182, aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key request comprises a file identifier, and the file key response comprises a file key response message, an equipment identifier of a mobile storage medium and an encryption key index; step S183, aiming at the file key response message, sending a file key decryption request to the mobile storage medium, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message; step S184, analyzing to obtain a file encryption key ciphertext based on the plaintext file encryption key response message; step S185, sending a file encryption key ciphertext to the mobile storage medium, and receiving a response to the file encryption key ciphertext from the mobile storage medium; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext; in step S186, the encrypted file is sent to the removable storage medium, and the decrypted file generated based on the plaintext file encryption key and returned by the removable storage medium is received. As can be seen in particular in fig. 5.
In this embodiment, decryption of the encrypted file is achieved by performing steps S181 to S186.
It should be noted that, as the file encryption key request and the file encryption key request response mentioned in step S181, the file key request and the file key response mentioned in step S182, and the file decryption key request response mentioned in step S183, these terms also include the meaning of query, that is, by executing these steps, the file key can be queried, and the encrypted file can be decrypted according to the file key obtained by the query.
Further, after the step S186, that is, after the sending the encrypted file to the removable storage medium, the method further includes: step S1861, receiving attribute data returned by the mobile storage medium, wherein the attribute data is obtained by decrypting the encrypted attribute data in the encrypted file by the mobile storage medium; step S1862, based on the attribute data, analyzing to obtain decryption strategy attribute data; step S1863, judge whether the request side has the authority to decipher the file on the basis of deciphering the tactics attribute data; step S1864, if the requestor has the authority to decrypt the file, the requestor instructs the mobile storage medium to continue decrypting the file and returns a decrypted file generated based on the plaintext file encryption key; step S1865, if the requestor does not have the authority to decrypt the file, the plaintext file encryption key of the mobile storage medium is deleted. See in particular fig. 6.
In the embodiment, the corresponding decryption policy is obtained by obtaining the attribute data of the decryption policy, and accordingly, whether the requester has the authority to decrypt the file is judged, and the use authority of the decrypted file is controlled according to different judgment results. By implementing the method, the security of the file data can be further improved.
Referring to fig. 7, in an embodiment, the present application provides a quantum key based file encryption method for a removable storage medium, the method including: step S210, receiving a file encryption key request from a terminal device, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted; step S220, encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment; step S230, receiving a decryption file key request from the terminal device, where the decryption file key request includes a file encryption key response ciphertext message, a device identifier of a mobile storage medium, and an encryption key index, and the file key management system is authenticated and connected to the terminal device through a quantum key distribution network; step S240, retrieving a preset quantum key set based on the device identifier and the encryption key index of the mobile storage medium to obtain a corresponding quantum key; step S250, based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment; step S260, receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index; step S270, based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key; step S280, receiving the file to be encrypted provided by the terminal device, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal device.
In this embodiment, the encryption and decryption of the message, the key ciphertext and the like through the mobile storage medium (e.g., quantum security U-shield) are realized by executing steps S210 to S280.
It should be noted that the quantum security U shield is a storage medium for quantum keys, and can transfer quantum keys from the QKD quantum key distribution network and apply the quantum keys to mobile application terminals, thereby solving the problem that the QKD network coverage is insufficient to provide real-time access to mobile terminals. Before the quantum security U shield is used, the quantum security U shield needs to be issued and registered in a file key management system, that is, the quantum security U shield is directly accessed to a host of the file key management system, the file key management system distributes an equipment identifier (or called equipment ID, hereinafter the same as the equipment ID) and an equipment basic authentication key for the quantum security U shield, the equipment ID and the equipment basic authentication key are written into the quantum security U shield, and meanwhile, the file key management system stores the equipment ID and the equipment basic authentication key information. The device base authentication key is generated by a Quantum Random Number Generator (QRNG) and stored encrypted on the file key management system.
In an embodiment, in addition to performing steps S210 to S280, before step S210, that is, before receiving the file encryption key request from the terminal device, the method further includes: step S201, receiving an encryption authentication request from the terminal equipment, wherein the encryption authentication request comprises a plaintext authentication request message; step S202, encrypting a plaintext authentication request message based on a quantum key provided by a preset quantum key set to obtain an authentication request ciphertext message; step S203, sending an encryption authentication request response to the terminal equipment, wherein the encryption authentication request response comprises an authentication request ciphertext message; step S204, receiving a decryption authentication response request from the terminal equipment, wherein the decryption authentication response request comprises an authentication response message, an equipment identifier of the mobile storage medium and an encryption key index; step S205, retrieving a preset quantum key set based on the device identifier and the encryption key index of the mobile storage medium to obtain a corresponding quantum key; and step S206, based on the obtained corresponding quantum key, decrypting the authentication response message to obtain a plaintext authentication response message, and returning the plaintext authentication response message to the terminal equipment. As can be seen in particular in fig. 8.
Step S201 to step S206 are executed, and step S101 to step S103 are combined to assist the terminal device and the file key management system to complete the authentication connection.
In an embodiment, in addition to performing steps S210 to S280, after step S280 is performed, that is, after the receiving the file to be encrypted provided by the terminal device, and encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal device, the method further includes: step S291, receiving a file encryption key request from the terminal device, where the file encryption key request includes a plaintext file encryption key request packet for an encrypted file; step S292, based on the quantum key provided by the preset quantum key set, encrypting the plaintext file encryption key request message to obtain a file encryption key request ciphertext message, and returning to the terminal device; step S293, receiving a decryption file key request from the terminal device, wherein the decryption file key request comprises a file encryption key response ciphertext message, a device identifier of the mobile storage medium and an encryption key index; step S294, retrieving a preset quantum key set based on the device identifier and the encryption key index of the mobile storage medium to obtain a corresponding quantum key; step S295, based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning to the terminal equipment; step S296, receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index; step S297, decrypting the file encryption key ciphertext based on the obtained corresponding quantum key, to obtain a plaintext file encryption key; step S298, receiving the encrypted file provided by the terminal device, decrypting the encrypted file based on the plaintext file encryption key to obtain a decrypted file, and returning the decrypted file to the terminal device. See in particular fig. 9.
In this embodiment, step S291 to step S298 are executed, and in combination with step S181 to step S186, the terminal device is assisted to complete decryption of the encrypted file.
In an embodiment, in addition to performing steps S210 to S280, before step S210, that is, before receiving the file encryption key request from the terminal device, the method further includes: step S2001, providing a device identifier of the mobile storage medium to the quantum key charging station; the quantum key charging site is used for generating corresponding encrypted charging equipment information based on the equipment identifier of the mobile storage medium, sending the encrypted charging equipment information and the equipment identifier of the mobile storage medium to the file key management system, receiving a charging response of the file key management system, sending a quantum key distribution request and receiving a key distribution response to obtain a quantum key set; the quantum key filling site establishes authentication connection with the file key management system through a quantum key distribution network; step S2002, receiving and storing a quantum key set from a quantum key charging site, where the quantum key set includes a plurality of quantum keys. As can be seen in particular in fig. 10.
In this embodiment, by performing steps S2001 to S2002, it may be implemented that the mobile storage medium (e.g., a quantum security U-shield) passes through the quantum key charging site to obtain the identity authentication of the file key management system, and passes through a quantum key distribution network to which the quantum key charging site and the file key management system are connected to obtain the quantum key.
Referring to fig. 11, in an embodiment, the present application provides a quantum key based file encryption method for a file key management system, where the method includes: step S310, receiving a file key generation request from a terminal device, wherein the file key management system is connected with the terminal device through a quantum key distribution network in an authenticated manner; step S320, acquiring random numbers generated by a quantum random number generator and using the random numbers as plaintext file encryption keys; step S330, encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext; step S340, encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message; and step S350, responding the ciphertext message based on the file encryption key, and sending a file key response to the terminal equipment.
In this implementation, the steps S310 to S350 are executed to implement that when the terminal device needs to use the file encryption key, the file encryption key is provided by the file key management system, so as to achieve the purpose that the file key (here, the file encryption key) is managed and controlled by the file key management system. Thus, safety is improved.
In an embodiment, in addition to performing steps S310 to S350, after step 350, that is, after sending a file key response to the terminal device based on the file encryption key response ciphertext message, the method further includes: step S361, receiving a file encryption key request from a terminal device, wherein the file encryption key request contains a file identifier; step S362, based on the file identification, inquiring to obtain a pre-stored plaintext file encryption key; step S363, encrypting the plaintext file encryption key based on the quantum key provided by the preset quantum key set to obtain a file encryption key ciphertext; step S364, encrypting the file encryption key ciphertext and the file identifier based on the quantum key provided by the preset quantum key set to obtain a file encryption key response ciphertext message; step S365, sending the file key response to the terminal device based on the file encryption key response ciphertext message. In particular, as shown in fig. 12.
The above steps S361 to S365 are executed, and the above steps S181 to S186 are combined to decrypt the encrypted file.
Further, in this embodiment, the file encryption key request further includes encrypted attribute data. Step S362, after querying the pre-stored plaintext file encryption key based on the file identifier, further includes: step S3621, based on the plaintext file encryption key, decrypting the encrypted attribute data to obtain attribute data; step S3622, judging whether the requester has the authority to acquire the encryption key of the plaintext file based on the attribute data and a preset rule; step S3623, if the requestor has the authority to obtain the plaintext file encryption key, the method executes the quantum key provided based on the preset quantum key set to encrypt the plaintext file encryption key to obtain a file encryption key ciphertext. With particular reference to figure 13.
In an embodiment, in addition to performing steps S310 to S350, before step S310, namely receiving a file key generation request from a terminal device, the method further includes: step S3001, receiving filling equipment information from a quantum key filling station; the quantum key filling site establishes authentication connection with the file key management system through a quantum key distribution network; step S3002, determining identity information of the filling equipment based on the filling equipment information; step S3003, sending a filling response to a quantum key filling site; step S3004, after the quantum key charging site sends a distribution request to a quantum key distribution network, receiving a quantum key set pushed by the quantum key distribution network; step S3005, sending a key reception response to the quantum key distribution network. As shown in particular in fig. 14.
By executing steps S3001 to S3005 in combination with steps S2001 to S2002, the mobile storage medium can obtain the quantum key.
The file encryption method based on the quantum key will be described in detail below with reference to the scenario shown in fig. 1 and with reference to fig. 15 to 17. The terminal device takes an application terminal as an example, and the mobile storage medium takes a quantum security U shield as an example. In the process of describing the file encryption method based on the quantum key, the method can comprise three parts, wherein the first part is quantum key distribution and charging; the second part is file encryption key generation and file encryption; and the third part is used for decrypting the ciphertext file.
As shown in fig. 15, in one embodiment, the quantum key based file encryption method includes performing quantum key distribution and population.
Quantum key distribution is performed between file key management system 20 and quantum key escrow site 40, with file key management system 20 and quantum key escrow site 40 accessing corresponding QKD gateway nodes, such as QKD gateway a and QKD gateway B shown in fig. 1, respectively. The quantum key charging site 40 initiates a quantum key distribution request, and the QKD gateway sends the quantum key to the file key management system and the quantum key charging site, respectively, so that the quantum keys obtained by the file key management system and the quantum key charging site are kept consistent. It should be noted that a plurality of quantum keys are stored together, which may be referred to as a quantum key set.
The quantum key population process is performed between the quantum key population site 40 and the quantum secure U-shield 30. Before quantum key distribution, the quantum secure U-shield 30 first accesses the quantum key filling site 40, and the quantum key filling site 40 notifies the file key management system 20 of which quantum secure U-shield the distributed quantum key will fill. This information is protected by the basic authentication key set by the secure quantum U shield 30. During the quantum key distribution process, the quantum key charging station 40 receives the quantum key and writes the quantum key to the quantum secure U-shield 30. After the quantum key distribution is completed, the quantum key charging is completed accordingly.
As shown in fig. 1 and fig. 15, the quantum key based file encryption method may include the following first step part:
1) and the file key management system and the quantum key charging site are respectively accessed into the QKD gateway A and the QKD gateway B, and access authentication is completed.
2) The quantum security U shield is accessed to a quantum security filling site, and the quantum key filling site identifies and acquires the equipment identifier (or equipment ID for short) of the quantum security U shield.
3) The quantum key charging site combines the equipment ID of the quantum security U shield, the charging time of the key, the random number R generated by the quantum security U shield and the summary information obtained by calculation after the information is combined, encrypts the key through the set basic authentication key of the quantum security U shield to obtain ciphertext information, sends the ciphertext information to the file key management system, and simultaneously sends the equipment ID of the plaintext to the file key management system.
4) After receiving the charging equipment information sent by the quantum key charging site, the file key management system retrieves the equipment basic authentication key corresponding to the equipment ID and stored by the file management system according to the equipment ID of the plaintext, decrypts the ciphertext information received by the file key management system by using the equipment basic authentication key, and checks the correctness of the message to realize the identity authentication of the quantum security U shield. After the verification is passed, the device ID, the random number R and the digest information obtained by calculation after the information is combined are encrypted by using a device basic authentication key and sent to a quantum key charging site as a charging response.
5) And the quantum key charging site receives the charging response sent by the file key management system, decrypts and verifies the charging response, and sends a quantum key distribution request to the file key management system to the QKD gateway B.
6) And the QKD network determines that the file key management system belongs to the QKD gateway A according to the preset routing information, and then quantum key distribution negotiation is carried out between the QKD gateway B and the QKD gateway A, and a quantum key is distributed between the QKD gateway A and the QKD gateway B.
7) QKD gateway A, QKD gateway B delivers the distributed quantum key to the file key management system and the quantum key escrow site, respectively.
8) And the file key management system and the quantum key charging station carry out consistency check on the distributed quantum keys, and the quantum key distribution is completed after the check is passed.
9) And the quantum key filling station writes the distributed quantum key into the quantum security U shield to complete the quantum key filling of the quantum security U shield.
In some other embodiments, when the quantum security U shield already stores the same quantum key as the file key management system, the quantum key-based file encryption method may not include the first part.
As will be further described below, the quantum key based file encryption method includes the following second part.
And the second part is file encryption key generation and file encryption. That is, when the application terminal 10 needs to encrypt a file to be encrypted (i.e. a plaintext file), it needs to request the file encryption key (or the plaintext file encryption key, as referred to below) from the file key management system 20, and during the request, it needs to use the quantum security U shield 30 to encrypt and protect the interactive message.
As shown in fig. 1 and fig. 16, the quantum key based file encryption method includes the following second part:
1) before encrypting a file to be encrypted, the quantum security U shield is accessed to an application terminal, and encryption and decryption of subsequent application terminals are completed in the quantum security U shield.
2) The application terminal sends an encryption authentication request to the quantum security U shield, and the quantum security U shield encrypts the received encryption authentication request by using a quantum key provided by a prestored quantum key set to obtain an authentication request ciphertext message which is returned to the application terminal as an encryption authentication request response. The encryption authentication request response also comprises a device ID and an encryption key index of a plaintext quantum security U shield. Wherein the encryption key index is used to indicate which quantum key to use for encryption. The encryption key index here is used to indicate a quantum key used when generating the authentication request ciphertext message. And after receiving the authentication request ciphertext message in the encrypted authentication response, the application terminal sends an authentication request to the file key management system.
3) After receiving the authentication request, the file key management system retrieves a locally stored symmetric quantum key according to the equipment ID and the encryption key index, decrypts an authentication request ciphertext message in the authentication request by using the retrieved quantum key, and verifies the correctness and the legality of the decrypted message. And after the verification is passed, generating an authentication response message, encrypting the authentication response message by using a locally stored quantum key, and simultaneously attaching a plaintext equipment ID and an encryption key index. The device ID is a device ID of the removable storage medium, and the encryption key index is used to indicate a quantum key used when the authentication response message is encrypted.
4) The application terminal receives an authentication response from the file key management system, wherein the authentication response comprises an authentication response message and an encryption key index. And then, the application terminal sends a decryption authentication response request to the quantum security U shield, wherein the decryption authentication response request comprises an authentication response message and an encryption key index. The quantum security U shield retrieves a preset quantum key set based on the encryption key index to obtain a corresponding quantum key, and decrypts the authentication response message according to the quantum key to obtain a plaintext authentication response message. And the quantum security U shield sends a response of the decryption authentication response request to the application terminal, and the application terminal performs correctness and validity verification on the plaintext authentication response message in the response. And when the verification is passed, completing the access authentication of the application terminal to the file key management system. It should be noted that, in some embodiments of the present application, the access authentication of the application terminal to the file key management system is completed, and therefore the quantum key based file encryption method may not perform the above steps. If the access authentication between the application terminal and the file key management system is not completed, the above steps need to be executed.
5) After the access is completed, the application terminal may apply to the file key management system for generating a file encryption key for the file to be encrypted (i.e., the plaintext file). Similar to access authentication, the application terminal sends a file encryption key request to the quantum security U shield. The file encryption key request comprises a plaintext file encryption key request message aiming at a file to be encrypted. And the quantum security U shield encrypts the plaintext file encryption key request message by using the quantum key provided by the pre-stored quantum key set to obtain a file encryption key request ciphertext message which is returned to the application terminal as a file encryption key request response. The file encryption key request response also contains the device ID and the encryption key index of the plaintext quantum security U shield. The encryption key index is used for indicating a quantum key used when generating a file encryption key request ciphertext message. And after receiving the file encryption key request ciphertext message in the file encryption key request response, the application terminal sends a file key request to the file key management system.
6) And after receiving the file key request, the file key management system obtains a locally stored symmetric quantum key according to the equipment ID of the quantum security U shield and the encryption key index. It should be noted that, a corresponding quantum key set (full volume) is indexed according to the device ID, and then a corresponding symmetric quantum key is determined from the quantum key set according to the encryption key index. The file key management system decrypts the file encryption key request ciphertext message according to the quantum key, and checks the correctness and the legality of the request, so that the safety is further improved.
7) After the verification is passed, the file key management system judges whether the operation is allowed according to a preset strategy, and when the operation is allowed, a section of random number is obtained from the quantum random number generator 60 to serve as a file encryption key. At this time, the file encryption key is plaintext, or plaintext file encryption key. The file key management system encrypts the plaintext file encryption key by using the quantum key provided by the locally stored quantum key set to obtain a file encryption key ciphertext. In addition, the file key management system assigns a file identification (i.e., file ID) to the file encryption key. The file identification corresponds to the file encryption key, in other words, the file identification also corresponds to the file to be encrypted. Then, the file key management system encrypts the file encryption key ciphertext, the encryption key index corresponding to the file encryption key ciphertext and the file identifier by using a locally pre-stored quantum key to obtain a file encryption key response ciphertext message. Note that the quantum key used at this time is different from the quantum key used when encrypting the plaintext file encryption key. And then, the file key management system sends a file key response to the application terminal, wherein the file key response comprises a file encryption key response ciphertext message and an encryption key index corresponding to the file encryption key response ciphertext message. Further, the file key management system stores locally thereto a copy of the same file ID and a corresponding plaintext file encryption key.
8) And after receiving the file key response, the application terminal sends a file key decryption request to the quantum security U shield. And the quantum security U shield receives a decryption file key request, wherein the decryption file key request comprises a file encryption key response ciphertext message, the equipment identifier of the quantum security U shield and an encryption key index. And the quantum security U shield obtains a corresponding symmetric quantum key according to the encryption key index, decrypts the file encryption key response ciphertext message according to the quantum key to obtain a plaintext file encryption key response message, and returns the plaintext file encryption key response message to the application terminal. When the application terminal receives the plaintext file encryption key response message, the correctness and the legality of the message are verified, and if the verification is passed, a file encryption key ciphertext, an encryption key index corresponding to the file encryption key ciphertext and a file identifier can be obtained through analysis.
9) And the application terminal sends the file encryption key ciphertext and the encryption key index corresponding to the file encryption key ciphertext to the quantum security U shield. And the quantum security U shield obtains a corresponding quantum key according to the encryption key index corresponding to the file encryption key ciphertext, decrypts the file encryption key ciphertext according to the quantum key to obtain a plaintext file encryption key, and returns a response of the mobile storage medium to the file encryption key ciphertext. The plaintext file encryption key is stored in a quantum security U shield.
10) And the application terminal sends the file to be encrypted to the quantum security U shield. And the quantum security U shield encrypts the file to be encrypted according to the stored plaintext file encryption key to obtain an encrypted file. Further, in some embodiments, the application terminal may send attribute data to the quantum security U shield in addition to the file to be encrypted. The quantum security U shield can encrypt the file to be encrypted and the attribute data together to obtain an encrypted file (or ciphertext file).
It should be noted that the attribute data includes decryption policy attribute data for determining a decryption policy. The fine granularity of the decryption policy sets one or more user or institution departments, for example, to have decryption reading rights. In other words, according to the decryption policy, it is possible to determine whether the requester has the authority to decrypt the encrypted file when the encrypted file is to be decrypted, which can further increase security.
The ciphertext file may include file attribute information of the plaintext and file content of the ciphertext, as shown in fig. 17. Wherein, the encryption identifier: and a fixed identifier located at the starting position of the encrypted file and used for indicating that the file is an encrypted file. File ID: the file key management system assigns a unique identification to the file. Total length of file: after the encryption flag, the total length of the data of all parts of the encrypted file after the file total length information is recorded. Ciphertext length: the total length of the ciphertext data is recorded, and the length of other data is not included. Ciphertext data: and (4) encrypted file data. Plaintext and abstract: and the abstract information of the plaintext data of the file is used for verifying the correctness and the integrity of the decrypted file data. Attribute length: the length of the attribute data is recorded, and the length of the other part of data is not included. Attribute data: the attribute and the strategy of the encrypted file are recorded, such as a creator of the file, attribution organization of the file, reading authority of the file and the like, the attribute data is extensible, various functional attributes can be expanded according to needs, and the part of data is also encrypted data.
11) After the file encryption is completed, the application terminal sends a file encryption key deletion instruction to the quantum security U shield, and the quantum security U shield deletes the plaintext file encryption key according to the file encryption key deletion instruction. Therefore, the quantum security U shield and the application terminal cannot hold a plaintext file encryption key so as to improve the security.
The above is a description of the file encryption key generation and file encryption process, and the following will continue to describe the decryption process of the encrypted file (ciphertext file).
When the application terminal 10 needs to view the encrypted file, the encrypted file needs to be decrypted first. Since neither the application terminal 10 nor the quantum secure U-shield 30 holds a file encryption key (which is a plaintext), the application terminal 10 needs to request the corresponding file encryption key from the file key management system 20 by means of the quantum secure U-shield 30 to decrypt the encrypted file, which is similar to the above-mentioned file encryption process.
As shown in fig. 1 and fig. 18, the quantum key based file encryption method includes the following third part:
1) before decrypting the encrypted file, the quantum security U shield is accessed to the application terminal, and the encryption and decryption of the subsequent application terminal are completed in the quantum security U shield.
2) The application terminal sends an encryption authentication request to the quantum security U shield, and the quantum security U shield encrypts the received encryption authentication request by using a quantum key provided by a prestored quantum key set to obtain an authentication request ciphertext message which is returned to the application terminal as an encryption authentication request response. The encrypted authentication request response also comprises a device ID and an encryption key index of the plaintext quantum security Ushield. Wherein the encryption key index is used to indicate which quantum key to use for encryption. The encryption key index here is used to indicate a quantum key used when generating the authentication request ciphertext message. And after receiving the authentication request ciphertext message in the encrypted authentication response, the application terminal sends an authentication request to the file key management system.
3) After receiving the authentication request, the file key management system retrieves a locally stored symmetric quantum key according to the equipment ID and the encryption key index, decrypts an authentication request ciphertext message in the authentication request by using the retrieved quantum key, and verifies the correctness and the legality of the decrypted message. And after the verification is passed, generating an authentication response message, encrypting the authentication response message by using a locally stored quantum key, and attaching an encryption key index. Wherein the encryption key index is used for indicating a quantum key used when the authentication response message is encrypted.
4) The application terminal receives an authentication response from the file key management system, wherein the authentication response comprises an authentication response message and an encryption key index. And then, the application terminal sends a decryption authentication response request to the quantum security U shield, wherein the decryption authentication response request comprises an authentication response message and an encryption key index. The quantum security U shield retrieves a preset quantum key set based on the encryption key index to obtain a corresponding quantum key, and decrypts the authentication response message according to the quantum key to obtain a plaintext authentication response message. And the quantum security U shield sends a response of the decryption authentication response request to the application terminal, and the application terminal performs correctness and validity verification on the plaintext authentication response message in the response. And after the verification is passed, completing the access authentication of the application terminal to the file key management system. It should be noted that, in some embodiments of the present application, the access authentication of the application terminal to the file key management system is completed, so the quantum key based file encryption method may not perform the above steps. If the access authentication between the application terminal and the file key management system is not completed, the above steps need to be executed.
5) After the access is completed, the application terminal may request the file encryption key of the encrypted file from the file key management system according to the file identifier (i.e., file ID) generated during the file encryption process, and transmit the encrypted attribute data as described in the above step. Similar to access authentication, the application terminal sends a file encryption key request to the quantum security U shield. Wherein the file encryption key request comprises a plaintext file encryption key request message for the encrypted file. And the quantum security U shield encrypts the plaintext file encryption key request message by using the quantum key provided by the pre-stored quantum key set to obtain a file encryption key request ciphertext message which is returned to the application terminal as a file encryption key request response. The file encryption key request response also contains the device ID and the encryption key index of the plaintext quantum security U shield. The encryption key index is used for indicating a quantum key used when generating a file encryption key request ciphertext message. And after receiving the file encryption key request ciphertext message in the file encryption key request response, the application terminal sends a file key request to the file key management system.
6) And after receiving the file key request, the file key management system obtains a locally stored symmetric quantum key according to the equipment ID of the quantum security U shield and the encryption key index. It should be noted that, a corresponding quantum key set (full volume) is indexed according to the device ID, and then a corresponding symmetric quantum key is determined from the quantum key set according to the encryption key index. The file key management system decrypts the file encryption key request ciphertext message according to the quantum key, and checks the correctness and the legality of the request, so that the safety is further improved.
7) After the verification is passed, the file key management system retrieves a corresponding file encryption key (plaintext) in the file key management system according to the file identifier, and decrypts the encrypted attribute data by using the file encryption key. And then, carrying out strategy judgment according to the attribute data and a preset rule so as to judge whether the requester has the authority of acquiring the encryption key of the plaintext file. If the requestor has the right to obtain the plaintext file encryption key, the plaintext file encryption key may be returned. The file key management system encrypts the plaintext file encryption key by using the quantum key provided by the locally stored quantum key set to obtain a file encryption key ciphertext. Then, the file key management system encrypts the file encryption key ciphertext and the encryption key index corresponding to the file encryption key ciphertext by using a locally pre-stored quantum key to obtain a file encryption key response ciphertext message. Note that the quantum key used at this time is different from the quantum key used when encrypting the plaintext file encryption key. And then, the file key management system sends a file key response to the application terminal, wherein the file key response comprises a file encryption key response ciphertext message and an encryption key index corresponding to the file encryption key response ciphertext message. And if the requester does not have the right to acquire the plaintext file encryption key, the file encryption key is not returned.
8) And after receiving the file key response, the application terminal sends a file key decryption request to the quantum security U shield. And the quantum security U shield receives a decryption file key request, wherein the decryption file key request comprises a file encryption key response ciphertext message, the equipment identifier of the quantum security U shield and an encryption key index. And the quantum security U shield obtains a corresponding symmetric quantum key according to the encryption key index, decrypts the file encryption key response ciphertext message according to the quantum key to obtain a plaintext file encryption key response message, and returns the plaintext file encryption key response message to the application terminal. When the application terminal receives the plaintext file encryption key response message, the correctness and the legality of the message are verified, and if the application terminal has the authority, a file encryption key ciphertext and an encryption key index corresponding to the file encryption key ciphertext can be obtained through analysis. If the user does not have the authority, only the result of obtaining the secret key without the authority can be obtained through analysis.
9) And the application terminal sends the file encryption key ciphertext and the encryption key index corresponding to the file encryption key ciphertext to the quantum security U shield. And the quantum security U shield obtains a corresponding quantum key according to the encryption key index corresponding to the file encryption key ciphertext, decrypts the file encryption key ciphertext according to the quantum key to obtain a plaintext file encryption key, and returns a response of the mobile storage medium to the file encryption key ciphertext. The plaintext file encryption key is stored in a quantum security U shield.
10) And the application terminal sends the encrypted file to the quantum security U shield. In some embodiments, the quantum security U shield decrypts the attribute data in the encrypted file according to the stored plaintext file encryption key, determines whether the requestor has a decryption file authority based on decryption policy attribute data in the attribute data, and deletes the plaintext file encryption key of the removable storage medium if it is determined that the requestor does not have the decryption file authority, thereby ensuring the decryption authority of the encrypted file.
11) And if the application terminal judges whether the requester has the authority of decrypting the file, the quantum security U shield continues to decrypt the encrypted file by using the plaintext file encryption key to obtain a decrypted file (plaintext), and the correctness of the decrypted file is verified. In some embodiments, if the encrypted file does not contain the attribute data, the quantum security U shield directly decrypts the encrypted file according to the stored plaintext file encryption key to obtain a decrypted file.
12) And after the file decryption is finished, the application terminal informs the quantum security U shield to delete the plaintext file encryption key. Therefore, the quantum security U shield and the application terminal cannot hold a plaintext file encryption key so as to improve the security.
So far, the quantum key-based file encryption method completes the three parts: quantum key distribution and charging, file encryption key generation and file encryption, and ciphertext file decryption.
In the process of executing the steps, the file encryption and decryption adopts dual strategy control of a file key management system and an application terminal, on one hand, the generation and issuing strategy of the file encryption key is maintained and executed by the file key management system, namely when the application terminal requests the file encryption key from the file key management system, the file key management system judges whether to issue the file encryption key to the application terminal according to the strategies of the organization department to which the application terminal belongs, the file type, the black and white list and the like; on one hand, the encryption and decryption policies of the file are maintained and executed by the application terminal, that is, when the encrypted file is created, after the application terminal applies to the file key management system for obtaining the file encryption key, and when the file is encrypted, the creator can set a private decryption policy, for example, a specific user or a specific department of an organization can be specified with fine granularity to have the decryption reading authority. When the file is decrypted, the application terminal applies to the file key management system to obtain the file encryption key, the attribute data given to the encrypted file by the file creator needs to be decrypted first, the private decryption strategy judgment is carried out, and if the user does not have the authority, the application terminal refuses to decrypt the file content.
By using dual strategy control, the file key management system can be configured with a basic system level strategy without maintaining a huge strategy, so that the system maintenance pressure is reduced; and moreover, fine-grained private decryption strategies can be defined by a file creator, each file can have a separate strategy, and the method has strong flexibility.
The quantum key-based file encryption method can also be operated in a scene with terminal equipment and a file key management system. In this scenario, a terminal device (e.g., application terminal 10) has the function of a mobile storage medium (e.g., quantum secure U-shield 30), and the terminal device prestores a quantum key set (multiple quantum keys) that is symmetric to file key management system 20.
In this case, the quantum key-based file encryption method is applied to a terminal device. As shown in fig. 19, the method includes: step S510, sending an authentication access request to a file key management system, and receiving an authentication access request response from the file key management system; the file key management system is connected with the terminal equipment in an authenticated manner through a quantum key distribution network; step S520, sending a file key generation request to a file key management system, and receiving a file key generation request response from the file key management system, wherein the file key generation request response contains a file encryption key and a file identifier; step S530, based on the file encryption key and the file identifier, performing encryption operation on the file to be encrypted to obtain an encrypted file; step S540, responding to the opening operation aiming at the encrypted file, sending a file key inquiry request to a file key management system based on the file identification, and receiving a file key inquiry request response from the file key management system, wherein the file key inquiry request response contains a file encryption key; in step S550, the encrypted file is decrypted based on the obtained file encryption key.
By performing the above steps S510 to S550, encryption of a plaintext file or decryption of an encrypted file can be achieved.
The following further describes the above steps with the terminal device taking an application terminal as an example, and the mobile storage medium taking a quantum security U shield as an example, in conjunction with fig. 20.
1) The application terminal obtains the quantum key.
2) And the application terminal is authenticated by the quantum key and accesses the file key management system.
3) The application terminal requests the file key management system to distribute a file ID and a file encryption key for a file to be encrypted.
4) The file key management system distributes file IDs, generates corresponding file encryption keys and returns the corresponding file encryption keys to the application terminal.
5) The application terminal obtains the file ID and the file encryption key, encrypts the file to be encrypted and packages the file ID and other related file information to obtain the encrypted file.
6) And when the application terminal needs to open the encrypted file, applying for a file encryption key from the file key management system according to the file ID.
7) And the file key management system judges the strategy according to the file ID and the related attribute information and a preset strategy and returns the file encryption key according to the judgment result.
8) And after the application terminal receives the file encryption key, decrypting the file attribute data and judging a decryption strategy, after confirming that decryption is allowed, decrypting the encrypted file, and verifying the correctness of the decrypted plaintext file. And if the verification is passed, obtaining a decrypted file of the plaintext.
When the file encryption method based on the quantum key is executed, a symmetric key algorithm is used, and the symmetric key is safely distributed between the terminal equipment and the file key management system through a quantum key distribution network. Each message in the interaction process of the terminal equipment and the file key management system is encrypted by using different quantum keys, and the quantum keys do not have any correlation, so that the effect close to the one-time pad information theory safety can be achieved, and the possibility that the traditional algorithm depending on the asymmetric keys can be cracked by future quantum computation is reduced. In addition, when the quantum key-based file encryption method is executed, the file encryption key and the file data are separated and are managed by the file key management system and the terminal device respectively, and if a single system is invaded, the file information cannot be leaked, so that the safety is further improved. In addition, when the quantum key-based file encryption method is executed, fine-grained encryption protection is supported on massive files, each file is encrypted and protected by using a file encryption key which is not associated, a private decryption strategy can be set, and the safety of other files cannot be influenced when a single file is cracked.
In order to better implement the above method, an embodiment of the present application provides a quantum key-based file encryption apparatus. As shown in fig. 21, the quantum-key-based file encryption apparatus 1000 includes: a message encryption transceiving module 1100, a key request transceiving module 1200, a decryption message transceiving module 1300, an analysis module 1400, a decryption key transceiving module 1500, and a file encryption transceiving module 1600.
Specifically, the message encryption transceiver module 1100 is configured to send a file encryption key request to the removable storage medium, and receive a file encryption key request response from the removable storage medium, where the file encryption key request includes a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response includes a file encryption key request ciphertext message, an apparatus identifier of the removable storage medium, and an encryption key index.
The key request transceiver module 1200 is configured to send a file key request to a file key management system for a file encryption key request ciphertext message, and receive a file key response from the file key management system, where the file key response includes the file key response message, a device identifier of a mobile storage medium, and an encryption key index, and the file key management system is authenticated and connected to a terminal device through a quantum key distribution network.
The decryption message transceiver module 1300 is configured to send a request for decrypting a file key to the removable storage medium in response to the file key response message, and receive a request response for decrypting the file key from the removable storage medium, so as to obtain a plaintext file encryption key response message.
The parsing module 1400 is configured to parse the plaintext file encryption key response packet to obtain a file encryption key ciphertext and a file identifier.
A decryption key transceiving module 1500, configured to send a file encryption key ciphertext to the mobile storage medium, and receive a response from the mobile storage medium for the file encryption key ciphertext; and the mobile storage medium obtains a plaintext file encryption key based on the file encryption key ciphertext.
The file encryption transceiving module 1600 is configured to send a file to be encrypted to the mobile storage medium, and receive an encrypted file generated based on a plaintext file encryption key and returned by the mobile storage medium.
In this embodiment, the quantum key based file encryption device 1000 is further configured to send an encrypted authentication request to the removable storage medium, and receive an encrypted authentication request response from the removable storage medium, where the encrypted authentication request includes a plaintext authentication request message; the encryption authentication request response comprises an authentication request ciphertext message, the equipment identifier of the mobile storage medium and an encryption key index; aiming at an authentication request ciphertext message, sending an authentication request to a file key management system, and receiving an authentication response from the file key management system, wherein the authentication response comprises an authentication response message and an encryption key index; and sending a decryption authentication response request to the mobile storage medium aiming at the authentication response message, and receiving a response of the decryption authentication response request from the mobile storage medium to obtain a plaintext authentication response message.
Or, the quantum key based file encryption device 1000 is further configured to send a file encryption key deletion instruction to the removable storage medium; a response to the file encryption key deletion instruction is received from the removable storage medium.
Or, the quantum key based file encryption apparatus 1000 is further configured to send attribute data for the file to be encrypted to the removable storage medium, where the attribute data is used to indicate a decryption policy for the encrypted file.
Or, the quantum key based file encryption apparatus 1000 is further configured to send a file encryption key request to the removable storage medium, and receive a file encryption key request response from the removable storage medium, where the file encryption key request includes a plaintext file encryption key request packet for an encrypted file, and the file encryption key request response includes a file encryption key request ciphertext packet, a device identifier of the removable storage medium, and an encryption key index; aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key request comprises a file identifier, and the file key response comprises a file key response message, a device identifier of a mobile storage medium and an encryption key index; sending a file key decryption request to the mobile storage medium aiming at the file key response message, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message; analyzing to obtain a file encryption key ciphertext based on the plaintext file encryption key response message; sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium to the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext; and sending the encrypted file to the mobile storage medium, and receiving a decrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
Or, the quantum key-based file encryption device 1000 is further configured to receive attribute data returned by the removable storage medium, where the attribute data is obtained by decrypting, by the removable storage medium, the encrypted attribute data in the encrypted file; analyzing to obtain decryption strategy attribute data based on the attribute data; judging whether the requester has the authority to decrypt the file or not based on the decryption strategy attribute data; if the requester has the authority of decrypting the file, the mobile storage medium is instructed to continue decrypting the file and returning a decrypted file generated based on the plaintext file encryption key; and if the requester does not have the authority of decrypting the file, deleting the plaintext file encryption key of the mobile storage medium.
The application further provides a file encryption device based on the quantum key, which is used for a mobile storage medium. As shown in fig. 22, the quantum key-based file encryption apparatus 2000 includes: a plaintext message receiving module 2100, a plaintext message encrypting module 2200, a ciphertext message receiving module 2300, a first key retrieving module 2400, a ciphertext message decrypting module 2500, a second key retrieving module 2600, a ciphertext decrypting module 2700, and a file encrypting module 2800.
Specifically, the plaintext message receiving module 2100 is configured to receive a file encryption key request from a terminal device, where the file encryption key request includes a plaintext file encryption key request message for a file to be encrypted. A plaintext message encrypting module 2200, configured to encrypt a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and return the file encryption key request ciphertext message to the terminal device. A ciphertext message receiving module 2300, configured to receive a decryption file key request from the terminal device, where the decryption file key request includes a file encryption key response ciphertext message, a device identifier of the mobile storage medium, and an encryption key index, and the file key management system is authenticated and connected to the terminal device through a quantum key distribution network. The first key retrieval module 2400 is configured to retrieve a preset quantum key set based on the device identifier and the encryption key index of the mobile storage medium, so as to obtain a corresponding quantum key. And the ciphertext message decryption module 2500 is configured to decrypt the file encryption key response ciphertext message based on the obtained corresponding quantum key to obtain a plaintext file encryption key response message, and return the plaintext file encryption key response message to the terminal device. The second key retrieval module 2600 is configured to receive a file encryption key ciphertext and an encryption key index corresponding to the file encryption key ciphertext from the terminal device, and obtain a corresponding quantum key based on the encryption key index. And the ciphertext decryption module 2700 is configured to decrypt the file encryption key ciphertext based on the obtained corresponding quantum key to obtain a plaintext file encryption key. The file encryption module 2800 is configured to receive the file to be encrypted provided by the terminal device, encrypt the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and return the encrypted file to the terminal device.
In this embodiment, the quantum key based file encryption apparatus 2000 is further configured to receive an encrypted authentication request from the terminal device, where the encrypted authentication request includes a plaintext authentication request packet; encrypting a plaintext authentication request message based on a quantum key provided by a preset quantum key set to obtain an authentication request ciphertext message; sending an encryption authentication request response to the terminal equipment, wherein the encryption authentication request response contains an authentication request ciphertext message; receiving a decryption authentication response request from the terminal equipment, wherein the decryption authentication response request comprises an authentication response message and an encryption key index; retrieving a preset quantum key set based on the encryption key index to obtain a corresponding quantum key; and based on the obtained corresponding quantum key, decrypting the authentication response message to obtain a plaintext authentication response message, and returning the plaintext authentication response message to the terminal equipment.
Or, the quantum key based file encryption apparatus 2000 is further configured to receive a file encryption key request from the terminal device, where the file encryption key request includes a plaintext file encryption key request packet for an encrypted file; encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment; receiving a decryption file key request from the terminal equipment, wherein the decryption file key request comprises a file encryption key response ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index; retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key; based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment; receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index; based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key; and receiving the encrypted file provided by the terminal equipment, decrypting the encrypted file based on the plaintext file encryption key to obtain a decrypted file, and returning the decrypted file to the terminal equipment.
Alternatively, the quantum key based file encryption apparatus 2000 is further configured to provide the device identifier of the removable storage medium to the quantum key charging site; the quantum key charging station is used for generating corresponding encrypted charging equipment information based on the equipment identifier of the mobile storage medium, sending the encrypted charging equipment information and the equipment identifier of the mobile storage medium to the file key management system, receiving charging response of the file key management system, sending a quantum key distribution request and receiving a key distribution response to obtain a quantum key set; the quantum key filling site establishes an authentication connection with the file key management system through a quantum key distribution network; a quantum key set from a quantum key charging site is received and stored, wherein the quantum key set comprises a plurality of quantum keys.
The application further provides a file encryption device based on the quantum key. As shown in fig. 23, the quantum-key-based file encryption apparatus 3000 includes: the system comprises a key request module 3100, a key generation module 3200, a ciphertext generation module 3300, a message generation module 3400 and a key request response module 3500.
Specifically, the key request module 3100 is configured to receive a file key generation request from a terminal device, where the file key management system is in authenticated connection with the terminal device through a quantum key distribution network. The key generation module 3200 is configured to obtain a random number generated by the quantum random number generator and use the random number as a plaintext file encryption key. The ciphertext generating module 3300 is configured to encrypt the plaintext file encryption key based on the quantum key provided by the preset quantum key set, so as to obtain a file encryption key ciphertext. The message generating module 3400 is configured to encrypt the file encryption key ciphertext and the file identifier based on the quantum key provided by the preset quantum key set, so as to obtain a file encryption key response ciphertext message. And a key request response module 3500, configured to send a file key response to the terminal device based on the file encryption key response ciphertext message.
In this embodiment, the quantum key based file encryption apparatus 3000 is further configured to receive a file encryption key request from a terminal device, where the file encryption key request includes a file identifier; based on the file identification, inquiring to obtain a pre-stored plaintext file encryption key; encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext; encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message; and sending the file key response to the terminal equipment based on the file encryption key response ciphertext message.
Alternatively, the quantum-key-based file encryption apparatus 3000 is further configured to receive charging device information from a quantum-key charging site; the quantum key filling site establishes authentication connection with the file key management system through a quantum key distribution network; determining identity information of the filling equipment based on the filling equipment information; sending a charging response to the quantum key charging site; after the quantum key charging site sends a distribution request to a quantum key distribution network, receiving a quantum key set pushed by the quantum key distribution network; and sending a key receiving response to the quantum key distribution network.
The quantum-key-based file encryption device can realize the functions or effects realized by the quantum-key-based file encryption method through the matching use of the modules or the units. That is, the quantum key-based file encryption device can realize that the terminal device and the file key management system based on the quantum key distribution network safely distribute the symmetric key, establish a secure channel by using the symmetric key, send the file encryption key to the terminal device through the secure channel for encrypting the file, use the symmetric key according to a one-time pad mode based on the secure channel, and have no correlation among the keys, thereby improving the security of file storage. In addition, the quantum key-based file encryption device also realizes the separation of the key and the data, namely the file encryption key and the encrypted file are respectively controlled by different systems, so that the problem of file information leakage caused by single-party data leakage is avoided. In addition, the quantum key-based file encryption device also realizes double policy control of file encryption and decryption, namely the generation and issuing policies of the file encryption key are controlled and executed by a file key management system, and the decryption policy of the file is controlled and executed by an application terminal (terminal device).
In addition, in an embodiment of the present application, an electronic device 5000 is also provided. The quantum key based file encryption apparatus as described above and shown in fig. 24 may be integrated into the electronic device 5000. When the electronic device 5000 is a terminal device, a file encryption device based on a quantum key as shown in fig. 21 and 22 may be integrated into the terminal device. When the electronic device 5000 is a server device, a quantum key-based file encryption apparatus as shown in fig. 23 may be integrated in the server device. The specific functions of the electronic device 5000 can refer to the description of the quantum key-based file encryption apparatus, and are not described herein again.
Further, the electronic device 5000 may include at least one processor 5100 and at least one memory 5200. Those skilled in the art will appreciate that the electronic device 5000 shown in fig. 24 does not constitute a limitation of the electronic device 5000, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components. Wherein:
the processor 5100 is a control center of the electronic device 5000, and performs various functions of the electronic device 5000 and processes data by running or executing software programs and/or modules stored in the memory 5200 and calling data stored in the memory 5200, thereby monitoring the electronic device 5000 as a whole. Optionally, the processor 5100 may include one or more processing cores.
The memory 5200 may be used to store software programs and modules, and the processor 5100 executes various functional applications and data processing by executing the software programs and modules stored in the memory 5200 to implement various functions, such as:
sending an authentication access request to the file key management system, and receiving an authentication access request response from the file key management system; the file key management system is connected with the terminal equipment in an authenticated manner through a quantum key distribution network;
sending a file key generation request to a file key management system, and receiving a file key generation request response from the file key management system, wherein the file key generation request response comprises a file encryption key and a file identifier;
based on the file encryption key and the file identification, performing encryption operation on the file to be encrypted to obtain an encrypted file;
responding to the opening operation aiming at the encrypted file, sending a file key inquiry request to a file key management system based on a file identifier, and receiving a file key inquiry request response from the file key management system, wherein the file key inquiry request response contains a file encryption key;
the encrypted file is decrypted based on the obtained file encryption key.
For another example:
sending a file encryption key request to a mobile storage medium, and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key response comprises the file key response message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is in authenticated connection with terminal equipment through a quantum key distribution network;
sending a file key decryption request to the mobile storage medium aiming at the file key response message, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message;
analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message;
sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium to the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext;
and sending the file to be encrypted to the mobile storage medium, and receiving the encrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
For another example:
receiving a file encryption key request from a terminal device, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted;
encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment;
receiving a file decryption key request from the terminal equipment, wherein the file decryption key request comprises a file encryption key response ciphertext message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is connected with the terminal equipment through a quantum key distribution network in an authenticated manner;
retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key;
based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment;
receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index;
based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key;
and receiving the file to be encrypted provided by the terminal equipment, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal equipment.
For another example:
receiving a file key generation request from a terminal device, wherein the file key management system is connected with the terminal device in an authenticated manner through a quantum key distribution network;
acquiring random numbers generated by a quantum random number generator and using the random numbers as a plaintext file encryption key;
encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext;
encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message;
and sending the file key response to the terminal equipment based on the file encryption key response ciphertext message.
It will be understood by those skilled in the art that all or part of the steps of the method described in the above embodiments may be implemented by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and the computer program is suitable for being loaded by a processor to execute the cloud cryptographic service communication method described in any embodiment of the present application. For example, the computer program may perform the steps of:
sending an authentication access request to the file key management system, and receiving an authentication access request response from the file key management system; the file key management system is connected with the terminal equipment in an authenticated manner through a quantum key distribution network;
sending a file key generation request to a file key management system, and receiving a file key generation request response from the file key management system, wherein the file key generation request response comprises a file encryption key and a file identifier;
based on the file encryption key and the file identification, performing encryption operation on the file to be encrypted to obtain an encrypted file;
responding to the opening operation aiming at the encrypted file, sending a file key inquiry request to a file key management system based on a file identifier, and receiving a file key inquiry request response from the file key management system, wherein the file key inquiry request response contains a file encryption key;
the encrypted file is decrypted based on the obtained file encryption key.
Alternatively, the computer program may perform the steps of:
sending a file encryption key request to a mobile storage medium, and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key response comprises the file key response message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is in authenticated connection with terminal equipment through a quantum key distribution network;
sending a file key decryption request to the mobile storage medium aiming at the file key response message, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message;
analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message;
sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium to the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext;
and sending the file to be encrypted to the mobile storage medium, and receiving the encrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
Alternatively, the computer program may perform the steps of:
receiving a file encryption key request from a terminal device, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted;
encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment;
receiving a file decryption key request from the terminal equipment, wherein the file decryption key request comprises a file encryption key response ciphertext message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is connected with the terminal equipment through a quantum key distribution network in an authenticated manner;
retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key;
based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment;
receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index;
based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key;
and receiving the file to be encrypted provided by the terminal equipment, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal equipment.
Alternatively, the computer program may perform the steps of:
receiving a file key generation request from a terminal device, wherein the file key management system is connected with the terminal device in an authenticated manner through a quantum key distribution network;
acquiring random numbers generated by a quantum random number generator and using the random numbers as a plaintext file encryption key;
encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext;
encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message;
and sending the file key response to the terminal equipment based on the file encryption key response ciphertext message.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein. Wherein the computer-readable storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the computer-readable storage medium may execute the steps in the quantum key based file encryption method provided in any embodiment of the present application, beneficial effects that can be achieved by the quantum key based file encryption method provided in any embodiment of the present application may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
The method, the device, the electronic device and the computer-readable storage medium for encrypting the file based on the quantum key provided by the embodiment of the present application are described in detail above, a specific example is applied in the description to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understanding the technical scheme and the core idea of the present application; those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the spirit and scope of the present disclosure as defined by the appended claims.

Claims (18)

1. A file encryption method based on a quantum key is used for a terminal device, and is characterized by comprising the following steps:
sending an authentication access request to the file key management system, and receiving an authentication access request response from the file key management system; the file key management system is connected with the terminal equipment in an authenticated manner through a quantum key distribution network;
sending a file key generation request to a file key management system, and receiving a file key generation request response from the file key management system, wherein the file key generation request response comprises a file encryption key and a file identifier; the file identification is obtained by being distributed by the file key management system, and corresponds to the file to be encrypted and the file encryption key;
based on the file encryption key and the file identification, performing encryption operation on the file to be encrypted to obtain an encrypted file;
responding to the opening operation aiming at the encrypted file, sending a file key inquiry request to a file key management system based on a file identifier, and receiving a file key inquiry request response from the file key management system, wherein the file key inquiry request response contains a file encryption key;
the encrypted file is decrypted based on the obtained file encryption key.
2. A file encryption method based on a quantum key is used for a terminal device, and is characterized by comprising the following steps:
sending a file encryption key request to a mobile storage medium, and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key response comprises the file key response message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is in authenticated connection with terminal equipment through a quantum key distribution network;
sending a file key decryption request to the mobile storage medium aiming at the file key response message, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message;
analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message;
sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium to the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext;
and sending the file to be encrypted to the mobile storage medium, and receiving the encrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
3. The method of claim 2, wherein before sending the file encryption key request to the removable storage media, the method further comprises:
sending an encryption authentication request to a mobile storage medium, and receiving an encryption authentication request response from the mobile storage medium, wherein the encryption authentication request comprises a plaintext authentication request message; the encryption authentication request response comprises an authentication request ciphertext message, the equipment identification of the mobile storage medium and an encryption key index;
aiming at an authentication request ciphertext message, sending an authentication request to a file key management system, and receiving an authentication response from the file key management system, wherein the authentication response comprises an authentication response message, a device identifier of a mobile storage medium and an encryption key index;
and sending a decryption authentication response request to the mobile storage medium aiming at the authentication response message, and receiving a response of the decryption authentication response request from the mobile storage medium to obtain a plaintext authentication response message.
4. The method of claim 2, wherein after sending the file encryption key ciphertext to the mobile storage medium and receiving a response to the file encryption key ciphertext from the mobile storage medium, the method further comprises:
sending a file encryption key deleting instruction to the mobile storage medium;
a response to the file encryption key deletion instruction is received from the removable storage media.
5. The method according to claim 2, wherein the sending the file to be encrypted to the mobile storage medium further comprises: and sending attribute data aiming at the file to be encrypted to the mobile storage medium, wherein the attribute data is used for indicating a decryption strategy of the encrypted file.
6. The method according to claim 2, wherein after sending the file to be encrypted to the removable storage medium and receiving the encrypted file generated based on the plaintext file encryption key and returned from the removable storage medium, the method further comprises:
sending a file encryption key request to a mobile storage medium, and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for an encrypted file, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
aiming at a file encryption key request ciphertext message, sending a file key request to a file key management system, and receiving a file key response from the file key management system, wherein the file key request comprises a file identifier, and the file key response comprises a file key response message, an equipment identifier of a mobile storage medium and an encryption key index;
sending a file key decryption request to the mobile storage medium aiming at the file key response message, and receiving a file key decryption request response from the mobile storage medium to obtain a plaintext file encryption key response message;
analyzing to obtain a file encryption key ciphertext based on the plaintext file encryption key response message;
sending a file encryption key ciphertext to the mobile storage medium, and receiving a response from the mobile storage medium to the file encryption key ciphertext; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext;
and sending the encrypted file to the mobile storage medium, and receiving a decrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
7. The method of claim 6, wherein after sending the encrypted file to the removable storage medium, the method further comprises:
receiving attribute data returned by the mobile storage medium, wherein the attribute data is obtained by decrypting the encrypted attribute data in the encrypted file by the mobile storage medium;
analyzing to obtain decryption strategy attribute data based on the attribute data;
judging whether the requester has the authority to decrypt the file or not based on the decryption strategy attribute data;
if the requester has the authority of decrypting the file, the requester instructs the mobile storage medium to continue decrypting the file and returns a decrypted file generated based on the plaintext file encryption key;
and if the requester does not have the authority of decrypting the file, deleting the plaintext file encryption key of the mobile storage medium.
8. A file encryption method based on a quantum key is used for a mobile storage medium, and is characterized in that the method comprises the following steps:
receiving a file encryption key request from a terminal device, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted;
encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment;
receiving a file decryption key request from the terminal equipment, wherein the file decryption key request comprises a file encryption key response ciphertext message, an equipment identifier of a mobile storage medium and an encryption key index, and the file key management system is connected with the terminal equipment through a quantum key distribution network in an authenticated manner;
retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key;
based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment;
receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index;
based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key;
and receiving the file to be encrypted provided by the terminal equipment, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal equipment.
9. The method of claim 8, wherein prior to receiving the file encryption key request from the terminal device, the method further comprises:
receiving an encryption authentication request from the terminal equipment, wherein the encryption authentication request comprises a plaintext authentication request message;
encrypting a plaintext authentication request message based on a quantum key provided by a preset quantum key set to obtain an authentication request ciphertext message;
sending an encryption authentication request response to the terminal equipment, wherein the encryption authentication request response contains an authentication request ciphertext message;
receiving a decryption authentication response request from the terminal equipment, wherein the decryption authentication response request comprises an authentication response message, an equipment identifier of a mobile storage medium and an encryption key index;
retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key;
and based on the obtained corresponding quantum key, decrypting the authentication response message to obtain a plaintext authentication response message, and returning the plaintext authentication response message to the terminal equipment.
10. The method according to claim 8, wherein after receiving the file to be encrypted provided by the terminal device, encrypting the file to be encrypted based on a plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal device, the method further comprises:
receiving a file encryption key request from the terminal equipment, wherein the file encryption key request comprises a plaintext file encryption key request message aiming at an encrypted file;
encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message, and returning the file encryption key request ciphertext message to the terminal equipment;
receiving a decryption file key request from the terminal equipment, wherein the decryption file key request comprises a file encryption key response ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
retrieving a preset quantum key set based on the device identification and the encryption key index of the mobile storage medium to obtain a corresponding quantum key;
based on the obtained corresponding quantum key, decrypting the file encryption key response ciphertext message to obtain a plaintext file encryption key response message, and returning the plaintext file encryption key response message to the terminal equipment;
receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext, and obtaining a corresponding quantum key based on the encryption key index;
based on the obtained corresponding quantum key, decrypting the file encryption key ciphertext to obtain a plaintext file encryption key;
and receiving the encrypted file provided by the terminal equipment, decrypting the encrypted file based on the plaintext file encryption key to obtain a decrypted file, and returning the decrypted file to the terminal equipment.
11. The method of claim 8, wherein prior to receiving the file encryption key request from the terminal device, the method further comprises:
providing a device identification of the mobile storage medium to a quantum key charging station; the quantum key charging site is used for generating corresponding encrypted charging equipment information based on the equipment identifier of the mobile storage medium, sending the encrypted charging equipment information and the equipment identifier of the mobile storage medium to the file key management system, receiving a charging response of the file key management system, sending a quantum key distribution request and receiving a key distribution response to obtain a quantum key set; the quantum key filling site establishes authentication connection with the file key management system through a quantum key distribution network;
a quantum key set from a quantum key charging site is received and stored, wherein the quantum key set comprises a plurality of quantum keys.
12. A file encryption method based on quantum keys is used for a file key management system, and is characterized by comprising the following steps:
receiving a file key generation request from a terminal device, wherein the file key management system is connected with the terminal device in an authenticated manner through a quantum key distribution network;
acquiring random numbers generated by a quantum random number generator and using the random numbers as a plaintext file encryption key;
encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext;
encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message;
sending a file key response to the terminal equipment based on the file encryption key response ciphertext message;
after the file key response ciphertext message is sent to the terminal device based on the file encryption key response ciphertext message, the method further comprises:
receiving a file encryption key request from a terminal device, wherein the file encryption key request comprises a file identifier and encrypted attribute data; based on the file identification, inquiring to obtain a pre-stored plaintext file encryption key; encrypting a plaintext file encryption key based on a quantum key provided by a preset quantum key set to obtain a file encryption key ciphertext; encrypting a file encryption key ciphertext and a file identifier based on a quantum key provided by a preset quantum key set to obtain a file encryption key response ciphertext message; sending a file key response to the terminal equipment based on the file encryption key response ciphertext message;
after the pre-stored plaintext file encryption key is obtained by querying based on the file identifier, the method further comprises the following steps: decrypting the encrypted attribute data based on the plaintext file encryption key to obtain attribute data; judging whether the requester has the authority to acquire the encryption key of the plaintext file or not based on the attribute data and a preset rule; and if the requester has the authority of obtaining the plaintext file encryption key, executing a quantum key provided based on a preset quantum key set, and encrypting the plaintext file encryption key to obtain a file encryption key ciphertext.
13. The method of claim 12, wherein prior to receiving the file key generation request from the terminal device, the method further comprises:
receiving filling equipment information from a quantum key filling station; the quantum key filling site establishes authentication connection with the file key management system through a quantum key distribution network;
determining identity information of the filling equipment based on the filling equipment information;
sending a charging response to the quantum key charging site;
after the quantum key charging site sends a distribution request to a quantum key distribution network, receiving a quantum key set pushed by the quantum key distribution network;
and sending a key receiving response to the quantum key distribution network.
14. A quantum key based file encryption apparatus for a terminal device, the apparatus comprising:
the message encryption transceiving module is used for sending a file encryption key request to the mobile storage medium and receiving a file encryption key request response from the mobile storage medium, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted, and the file encryption key request response comprises a file encryption key request ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index;
the system comprises a key request transceiving module, a file key management system and a terminal device, wherein the key request transceiving module is used for sending a file key request to the file key management system aiming at a file encryption key request ciphertext message and receiving a file key response from the file key management system, the file key response comprises the file key response message, a device identifier of a mobile storage medium and an encryption key index, and the file key management system is in authenticated connection with the terminal device through a quantum key distribution network;
the decryption message receiving and sending module is used for sending a file decryption key request to the mobile storage medium according to the file encryption key response message and receiving a file decryption key request response from the mobile storage medium to obtain a plaintext file encryption key response message;
the analysis module is used for analyzing to obtain a file encryption key ciphertext and a file identifier based on the plaintext file encryption key response message;
the decryption key transceiving module is used for sending a file encryption key ciphertext to the mobile storage medium and receiving a response aiming at the file encryption key ciphertext from the mobile storage medium; the mobile storage medium obtains a plaintext file encryption key based on a file encryption key ciphertext;
and the file encryption transceiving module is used for sending the file to be encrypted to the mobile storage medium and receiving the encrypted file which is returned by the mobile storage medium and is generated based on the plaintext file encryption key.
15. A quantum key based file encryption apparatus for a removable storage media, the apparatus comprising:
the plaintext message receiving module is used for receiving a file encryption key request from the terminal equipment, wherein the file encryption key request comprises a plaintext file encryption key request message for a file to be encrypted;
the plaintext message encryption module is used for encrypting a plaintext file encryption key request message based on a quantum key provided by a preset quantum key set to obtain a file encryption key request ciphertext message and returning the file encryption key request ciphertext message to the terminal equipment;
the ciphertext message receiving module is used for receiving a file decryption key request from the terminal equipment, wherein the file decryption key request comprises a file encryption key response ciphertext message, an equipment identifier of the mobile storage medium and an encryption key index, and the file key management system is connected with the terminal equipment through a quantum key distribution network in an authenticated manner;
the first key retrieval module is used for retrieving a preset quantum key set based on the equipment identification and the encryption key index of the mobile storage medium so as to obtain a corresponding quantum key;
the ciphertext message decryption module is used for decrypting the file encryption key response ciphertext message based on the obtained corresponding quantum key to obtain a plaintext file encryption key response message and returning the plaintext file encryption key response message to the terminal equipment;
the second key retrieval module is used for receiving a file encryption key ciphertext from the terminal equipment and an encryption key index corresponding to the file encryption key ciphertext and obtaining a corresponding quantum key based on the encryption key index;
the ciphertext decryption module is used for decrypting the file encryption key ciphertext based on the obtained corresponding quantum key to obtain a plaintext file encryption key;
and the file encryption module is used for receiving the file to be encrypted provided by the terminal equipment, encrypting the file to be encrypted based on the plaintext file encryption key to obtain an encrypted file, and returning the encrypted file to the terminal equipment.
16. A quantum key based file encryption apparatus for use in a file key management system, the apparatus comprising:
the system comprises a key request module, a file key management module and a data processing module, wherein the key request module is used for receiving a file key generation request from a terminal device, and the file key management system is connected with the terminal device through a quantum key distribution network in an authenticated manner;
the key generation module is used for acquiring random numbers generated by the quantum random number generator and taking the random numbers as a plaintext file encryption key;
the ciphertext generating module is used for encrypting the plaintext file encryption key based on the quantum key provided by the preset quantum key set to obtain a file encryption key ciphertext;
the message generation module is used for encrypting the file encryption key ciphertext and the file identifier based on the quantum key provided by the preset quantum key set so as to obtain a file encryption key response ciphertext message;
the key request response module is used for responding the ciphertext message based on the file encryption key and sending a file key response to the terminal equipment;
the apparatus is further configured to: receiving a file encryption key request from a terminal device, wherein the file encryption key request comprises a file identifier and encrypted attribute data; based on the file identification, inquiring to obtain a pre-stored plaintext file encryption key; decrypting the encrypted attribute data based on the plaintext file encryption key to obtain attribute data; judging whether the requester has the authority to acquire the encryption key of the plaintext file or not based on the attribute data and a preset rule; and if the requester has the authority of obtaining the plaintext file encryption key, executing a quantum key provided based on a preset quantum key set, and encrypting the plaintext file encryption key to obtain a file encryption key ciphertext.
17. An electronic device comprising a memory and a processor; the memory stores a computer program, and the processor is configured to execute the computer program in the memory to execute the quantum key based file encryption method according to any one of claims 2 to 7, the quantum key based file encryption method according to any one of claims 8 to 11, or the quantum key based file encryption method according to any one of claims 12 to 13.
18. A computer-readable storage medium, in which a computer program is stored, the computer program being adapted to be loaded by a processor to perform the quantum key based file encryption method of any one of claims 2 to 7, or the quantum key based file encryption method of any one of claims 8 to 11, or the quantum key based file encryption method of any one of claims 12 to 13.
CN202210362718.XA 2022-04-08 2022-04-08 File encryption method and device based on quantum key, electronic equipment and medium Active CN114448633B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210362718.XA CN114448633B (en) 2022-04-08 2022-04-08 File encryption method and device based on quantum key, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210362718.XA CN114448633B (en) 2022-04-08 2022-04-08 File encryption method and device based on quantum key, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN114448633A CN114448633A (en) 2022-05-06
CN114448633B true CN114448633B (en) 2022-06-21

Family

ID=81360235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210362718.XA Active CN114448633B (en) 2022-04-08 2022-04-08 File encryption method and device based on quantum key, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114448633B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115438358B (en) * 2022-09-05 2023-07-14 长江量子(武汉)科技有限公司 Controlled file encryption method and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426723A (en) * 2016-05-24 2017-12-01 中兴通讯股份有限公司 Terminal document encryption method, terminal document decryption method and terminal
CN109728908A (en) * 2019-03-18 2019-05-07 南方电网调峰调频发电有限公司信息通信分公司 A kind of key management method based on quantum safety moving storage medium
CN110505053A (en) * 2018-05-17 2019-11-26 广东国盾量子科技有限公司 A kind of quantum key filling method, apparatus and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769913B (en) * 2016-08-16 2020-12-29 广东国盾量子科技有限公司 Quantum UKey-based communication method and system
CN112398651B (en) * 2021-01-12 2023-03-14 南京易科腾信息技术有限公司 Quantum secret communication method and device, electronic equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107426723A (en) * 2016-05-24 2017-12-01 中兴通讯股份有限公司 Terminal document encryption method, terminal document decryption method and terminal
CN110505053A (en) * 2018-05-17 2019-11-26 广东国盾量子科技有限公司 A kind of quantum key filling method, apparatus and system
CN109728908A (en) * 2019-03-18 2019-05-07 南方电网调峰调频发电有限公司信息通信分公司 A kind of key management method based on quantum safety moving storage medium

Also Published As

Publication number Publication date
CN114448633A (en) 2022-05-06

Similar Documents

Publication Publication Date Title
CN109120639B (en) Data cloud storage encryption method and system based on block chain
CN106357396B (en) Digital signature method and system and quantum key card
US11303431B2 (en) Method and system for performing SSL handshake
CN109327481B (en) Block chain-based unified online authentication method and system for whole network
CN108123800A (en) Key management method, device, computer equipment and storage medium
CN111556025A (en) Data transmission method, system and computer equipment based on encryption and decryption operations
CN107948736A (en) A kind of audio and video preservation of evidence method and system
WO2007092588A2 (en) Secure digital content management using mutating identifiers
CN113420319A (en) Data privacy protection method and system based on block chain and permission contract
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
US10951510B2 (en) Communication device and communication method
CN113779612B (en) Data sharing method and system based on blockchain and hidden policy attribute encryption
CN116614599B (en) Video monitoring method, device and storage medium for secure encryption
US20230351035A1 (en) System and method for user-controllable sharing of authorization for private data
CN111756529A (en) Quantum session key distribution method and system
CN115314321B (en) Searchable encryption method based on block chain without need of secure channel
CN114448633B (en) File encryption method and device based on quantum key, electronic equipment and medium
CN113473458A (en) Equipment access method, data transmission method and computer readable storage medium
CN112332986A (en) Private encryption communication method and system based on authority control
CN115567312A (en) Alliance chain data authority management system and method capable of meeting multiple scenes
CN108809631B (en) Quantum key service management system and method
CN116248290A (en) Identity authentication method and device and electronic equipment
CN115276974A (en) Method and system for quantum security device to access base station
CN116170164A (en) Method, device, electronic equipment and storage medium for requesting scheduling
Wu et al. A privacy protection scheme for facial recognition and resolution based on edge computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20220506

Assignee: Suzhou Heyu Finance Leasing Co.,Ltd.

Assignor: Nanjing yiketeng Information Technology Co.,Ltd.

Contract record no.: X2022320010029

Denomination of invention: Document encryption method, device, electronic equipment and media based on quantum key

Granted publication date: 20220621

License type: Exclusive License

Record date: 20221209

PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Document encryption method, device, electronic equipment and media based on quantum key

Effective date of registration: 20221210

Granted publication date: 20220621

Pledgee: Suzhou Heyu Finance Leasing Co.,Ltd.

Pledgor: Nanjing yiketeng Information Technology Co.,Ltd.

Registration number: Y2022320010788