CN108270553B - Trusted repeater, and secret key encryption method, device and system of quantum communication network - Google Patents

Trusted repeater, and secret key encryption method, device and system of quantum communication network Download PDF

Info

Publication number
CN108270553B
CN108270553B CN201611255339.1A CN201611255339A CN108270553B CN 108270553 B CN108270553 B CN 108270553B CN 201611255339 A CN201611255339 A CN 201611255339A CN 108270553 B CN108270553 B CN 108270553B
Authority
CN
China
Prior art keywords
key
relay
encryption
encrypted
receiving
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611255339.1A
Other languages
Chinese (zh)
Other versions
CN108270553A (en
Inventor
王学富
武宏宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Institute Of Quantum Science And Technology Co ltd
Quantumctek Co Ltd
Original Assignee
Shandong Institute Of Quantum Science And Technology Co ltd
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Institute Of Quantum Science And Technology Co ltd, Quantumctek Co Ltd filed Critical Shandong Institute Of Quantum Science And Technology Co ltd
Priority to CN201611255339.1A priority Critical patent/CN108270553B/en
Publication of CN108270553A publication Critical patent/CN108270553A/en
Application granted granted Critical
Publication of CN108270553B publication Critical patent/CN108270553B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a key encryption method, a device and a system for a trusted repeater and a quantum communication network, wherein the key encryption method for the trusted repeater comprises the following steps: after receiving a first relay key sent by a previous node, a trusted relay decrypts the first relay key through an encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting the relay decryption key by using a preset key encryption key; when the trusted repeater sends the encrypted relay key to the next node, the encrypted relay key is encrypted by using the encrypted relay encryption key to obtain a second relay key; the encrypted relay encryption key is generated by encrypting the relay encryption key by using a preset key encryption key. The invention has wide application range, has little influence on the application range of the credible repeater, and enhances the safety of the credible repeater under the condition of ensuring the expansibility of the original network.

Description

Trusted repeater, and secret key encryption method, device and system of quantum communication network
Technical Field
The invention relates to the technical field of quantum communication, in particular to a secret key encryption method and device of a trusted repeater and a secret key encryption method and system of a quantum communication network.
Background
In a quantum communication network, due to the limitations of channel deployment cost and distance, the construction of quantum channels between any nodes in the network and direct Quantum Key Distribution (QKD) cannot be realized. Therefore, in order to realize that the quantum key can be shared between any nodes in the network, a key relay method needs to be adopted to realize key distribution between two nodes which cannot directly perform quantum key distribution.
The key relay mode is firstly proposed by Elliott of BBN, and the basic idea is to encrypt and decrypt a relay key by using a quantum key shared between adjacent nodes, so as to realize encryption and transfer of the relay key among one or more relay nodes, and finally achieve a target user.
It is worth noting that since the relay key exists in the relay node in the clear, any node participating in the key relay knows the content of this secret communication (i.e. the relay key), i.e. its security is relative, provided that all relay nodes have to be trusted. Such a node is therefore called a Trusted Relay (Trusted Relay) node. On a key relay link, nodes at two ends of the link are called quantum terminal nodes (or quantum terminals for short), namely, nodes where target users of key relay are located; nodes in the middle of the link are called trusted relay nodes (or trusted relays), and are referred to as quantum terminal nodes. The key relay link comprises two quantum terminal nodes and at least one credible relay node, and each node is provided with QKD equipment; a quantum channel is built between adjacent nodes, and quantum keys can be directly distributed, so that the quantum keys are shared. The trusted repeater is a very natural and easily-realized technology, and by means of the trusted repeater, a quantum key distribution network can be easily expanded, and the range and the number of users can be infinite. Moreover, the QKD network based on the trusted repeater can be well compatible with various QKD technologies, and both an optical fiber quantum key distribution system and a free space quantum key distribution system, and a phase coding system and a polarization coding system can be conveniently integrated, so that the method is a preferred scheme for building the network at the present stage. But has the disadvantage of increasing the cost of security management since the security of the trusted repeater must be guaranteed.
At present, the flow of quantum key relay is shown in fig. 1, in this example, it is assumed that only one trusted repeater B is passed when communication is performed between a sending quantum terminal a and a receiving quantum terminal C; the sending quantum terminal A and the credible relay B share a quantum key through a QKD process, and the shared quantum key is used as a sending encryption key K at the sending quantum terminal AABAt trusted repeater B as a relay decryption key KBA(ii) a The trusted relay B and the receiving quantum terminal C share a quantum key through a QKD process, and the shared quantum key is used as a relay encryption key K at the trusted relay BBCAt the receiving quantum terminal C as a receiving decryption key KCB. The specific flow of key relaying is as follows:
step 1, sending quantum terminal A to be sentRelay key KRUsing a transmit encryption key KABObtaining a first relay secret key K after encryptionR⊕KABThen the first relay key K is usedR⊕KABSending to a trusted repeater B;
step 2, the trusted repeater B receives the first relay key KR⊕KABThen, the relay decryption key K is usedBAPerform decryption (K)R⊕KAB⊕KBA=KR) Later obtain relay key KR
Step 3, the credible repeater B reuses the relay encryption key KBCFor the relay key K obtained in step 2RObtaining a second relay key K after encryptionR⊕KBCAnd the second relay key K is used forR⊕KBCSending the data to a receiving quantum terminal C;
step 4, the receiving quantum terminal C receives the second relay key KR⊕KBCThereafter, using the received decryption key KCBPerform decryption (K)R⊕KBC⊕KCB=KR) To obtain a relay key KR
The trusted repeater B may be provided with a key cache module, and a plurality of relay decryption keys, such as K, may be stored in the key cache moduleBAAnd a plurality of relay encryption keys such as KBC. The sending quantum terminal A can also be provided with a key cache module, and a plurality of sending encryption keys such as K can be stored in the key cache moduleAB. The receiving quantum terminal C may also be provided with a key cache module, and the key cache module may store a plurality of receiving decryption keys, such as KCB
In this example, there is only one trusted repeater on the key relay link, and it can be understood by those skilled in the art that when there are n (n is a positive integer, n ≧ 1) trusted repeaters, each trusted repeater needs to perform a similar procedure as described above, that is, the encrypted relay key is relayed by using a quantum key shared with an adjacent quantum terminal or an adjacent trusted repeater.
However, the above method has the following safety defects:
in step 2, the trusted repeater B receives the first relay key KR⊕KABThen, the relay decryption key K is used firstBADecrypting to obtain the relay key KR(ii) a And in step 3 the relay key KRRelaying the secret key K before performing the second encryptionRIs stored in clear text, thus causing the leaked relay key K to exist in the trusted relayRThe potential safety hazard of (2).
Furthermore, the above example only describes the key relay process of the key management layer, which may be understood as a horizontal key relay process, and the key management at each node may be understood as a vertical key relay process. As shown in fig. 2, the whole quantum communication network can be divided into a key generation layer, a key management layer, and an application layer. The key generation layer performs quantum key distribution through QKD equipment deployed at each node and sends the generated quantum key to the key management layer; each node of the key management layer receives the quantum key sent by the key generation layer, uses the quantum key to realize the encryption transfer of the relay key, realizes the sharing of the relay key between quantum terminals, and sends the relay key to the application layer; and the application equipment in the application layer receives the relay key sent by the corresponding quantum terminal and uses the relay key to carry out high-security secret communication. The relay key may be a quantum key or may be generated by a true random number generator. Due to the characteristics of the quantum key distribution system, a large number of quantum keys need to be stored in a quantum terminal and a trusted repeater in a key management layer, and how to ensure the security of the part of keys and the security of the storage and longitudinal transmission of the relay keys are important problems to be solved in the field.
Disclosure of Invention
Aiming at the security defect existing when the relay key is forwarded by the trusted repeater in the quantum communication network, the invention provides the trusted repeater, and the key encryption method, device and system of the quantum communication network, which can eliminate the security defect of the relay key plaintext falling to the ground at the trusted repeater.
In order to achieve the above object, the present invention provides a key encryption method for a trusted repeater, including:
step 101, after receiving a first relay key sent by a previous node, a trusted relay decrypts the first relay key through an encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting a relay decryption key by using a preset key encryption key, and the first relay key is generated by encrypting the relay key by using a sending encryption key corresponding to the relay decryption key by the previous node;
step 102, when the trusted relay sends the encrypted relay key to the next node, encrypting the encrypted relay key by using the encrypted relay encryption key to obtain a second relay key; the encrypted relay encryption key is generated by encrypting a relay encryption key by using the preset key encryption key, and the relay encryption key corresponds to a receiving decryption key at the next node.
Preferably, the sending encryption key and the relay decryption key are shared quantum keys generated through a QKD process, and are in one-to-one correspondence; the relay encryption key and the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the receiving decryption key correspond to each other one by one.
Preferably, the key encryption key is pre-stored in a hardware chip of the trusted repeater for updating, encrypting and decrypting operations, and the key encryption key in the chip cannot be derived.
Preferably, the key encryption key is periodically updated by a quantum key.
Meanwhile, the embodiment of the invention also provides a key encryption device of the trusted repeater, which comprises the following steps:
the key encryption module is used for storing a preset key encryption key and encrypting the relay decryption key through the preset key encryption key to obtain an encrypted relay decryption key; the relay encryption key is further used for encrypting the relay encryption key through the preset key encryption key to obtain an encrypted relay encryption key;
the key relay forwarding module is used for decrypting the first relay key through the encrypted relay decryption key after receiving the first relay key from the previous node so as to obtain an encrypted relay key; the first relay key is generated after the previous node encrypts a relay key by using a sending encryption key corresponding to the relay decryption key; the relay node is further configured to encrypt the encrypted relay key using the encrypted relay encryption key to obtain a second relay key when the encrypted relay key is sent to a next node; wherein the relay encryption key corresponds to a receive decryption key at the next node;
and the key cache module is used for storing the encrypted relay decryption key and the encrypted relay encryption key.
Preferably, the sending encryption key and the relay decryption key are shared quantum keys generated through a QKD process, and are in one-to-one correspondence; the relay encryption key and the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the receiving decryption key correspond to each other one by one.
Preferably, the key encryption module is a hardware chip, and a key encryption key in the chip cannot be derived.
Preferably, the key encryption module is further configured to receive a quantum key, and periodically update the key encryption key through the quantum key.
Meanwhile, the embodiment of the invention also provides a secret key encryption method of the quantum communication network, which comprises the following steps:
step 701, the sending quantum terminal encrypts the relay key to be sent by using a sending encryption key to obtain a first relay key, and then sends the first relay key to the next node; wherein the transmit encryption key corresponds to a relay decryption key at the next node;
step 702, after receiving a first relay key sent by a previous node, a trusted relay decrypts the first relay key through an encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting the relay decryption key by using a preset key encryption key;
step 703, when the trusted relay sends the encrypted relay key to the next node, encrypting the encrypted relay key by using the encrypted relay encryption key to obtain a second relay key; the encrypted relay encryption key is generated after the relay encryption key is encrypted by using the preset key encryption key, and the relay encryption key corresponds to a receiving decryption key at the next node;
step 704, after receiving the second relay key sent by the previous node, the receiving quantum terminal decrypts the second relay key by using the receiving decryption key to obtain the relay key;
when a transmitting quantum terminal in the quantum communication network transmits a relay key to be transmitted to a receiving quantum terminal, the relay key passes through one or more trusted repeaters, and when the relay key passes through a plurality of trusted repeaters, each trusted repeater performs step 702 and step 703.
Further, a sending key encryption key is preset at the sending quantum terminal to encrypt the sending encryption key so as to generate an encrypted sending encryption key; a receiving key encryption key is preset at the receiving quantum terminal to encrypt the receiving decryption key so as to generate an encrypted receiving decryption key;
the method specifically comprises the following steps:
step 801, a sending quantum terminal encrypts a sending encryption key and a relay key respectively by using a preset sending key encryption key to generate an encrypted sending encryption key and an encrypted relay key respectively;
step 802, the sending quantum terminal encrypts the encrypted relay key to be sent by using the encrypted sending encryption key to obtain a first relay key, and then sends the first relay key to the next node; wherein the transmit encryption key corresponds to a relay decryption key at the next node;
step 803, after receiving the first relay key sent by the previous node, the trusted relay decrypts the first relay key by using the encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting the relay decryption key by using a preset key encryption key;
step 804, when the trusted relay sends the encrypted relay key to the next node, the encrypted relay key is encrypted by using the encrypted relay encryption key to obtain a second relay key, and then the second relay key is sent to the next node; the encrypted relay encryption key is generated after the relay encryption key is encrypted by using the preset key encryption key, and the relay encryption key corresponds to a receiving decryption key at the next node;
step 805, after receiving the second relay key sent by the previous node, the receiving quantum terminal decrypts the second relay key by using the encrypted receiving decryption key to obtain an encrypted relay key; and the encrypted receiving decryption key is generated by encrypting the receiving decryption key by the receiving quantum terminal by using a preset receiving key encryption key.
Preferably, the sending encryption key and the relay decryption key are shared quantum keys generated through a QKD process, and are in one-to-one correspondence; the relay encryption key and the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the receiving decryption key correspond to each other one by one.
Preferably, the key encryption key is pre-stored in a hardware chip for updating, encrypting and decrypting operations, and the key encryption key in the chip cannot be derived.
Preferably, the key encryption key is periodically updated by a quantum key.
Meanwhile, the invention also provides a security enhancement method of the quantum key management layer, so as to realize the processing of the key management layer without a plaintext key and enhance the security of the whole key management system. The whole quantum communication network can be divided into a key generation layer, a key management layer and an application layer.
The working flow of the quantum terminal is as follows:
step 1701, presetting a sending key encryption key for encrypting the sending encryption key on a key generation device of the sending quantum terminal, and then synchronizing the sending key encryption key to an application device of the sending quantum terminal by the key generation device;
1702, after quantum key distribution is performed between a key generation device of the sending quantum terminal and a key generation device of a next node to generate a sending encryption key of the sending quantum terminal, encrypting the sending encryption key by using the sending encryption key to obtain an encrypted sending encryption key; transmitting the encrypted sending encryption key to a key management device of a sending quantum terminal for storage, so that when the sending quantum terminal sends an encrypted relay key to a device of a next node, the encrypted relay key is encrypted by using the encrypted sending encryption key to obtain the first relay key;
step 1703, the key management device of the sending quantum terminal sends the encrypted relay key to the application device of the sending quantum terminal; before using a service key, an application device of a sending quantum terminal decrypts the encrypted key by using the sending key to obtain a relay key, and then uses the relay key as the service key;
and the sending quantum terminal synchronizes and updates the sending key encryption key through the mobile storage equipment.
The working flow of the quantum receiving terminal is as follows:
step 1801, presetting a receiving key encryption key for encrypting a receiving decryption key on a key generation device of the receiving quantum terminal, and then synchronizing the receiving key encryption key to an application device of the receiving quantum terminal by the key generation device;
step 1802, after quantum key distribution is performed on a key generation device of a receiving quantum terminal and a key generation device of a previous node to generate a receiving decryption key of the receiving quantum terminal, encrypting the receiving decryption key by using the receiving key encryption key to obtain an encrypted receiving decryption key; transmitting the encrypted receiving decryption key to a key management device of a receiving quantum terminal for storage, so that when the receiving quantum terminal receives the second relay key sent by the previous node device, the second relay key is decrypted by using the encrypted receiving decryption key to obtain an encrypted relay key;
step 1803, the key management device of the receiving quantum terminal sends the encrypted relay key to the application device of the receiving quantum terminal; before using a service key, an application device of a receiving quantum terminal decrypts the encrypted key by using the receiving key to obtain a relay key, and then uses the relay key as the service key;
and the receiving quantum terminal synchronizes and updates the receiving key encryption key through the mobile storage equipment.
Meanwhile, the embodiment of the invention also provides a secret key encryption system of the quantum communication network, which comprises at least one sending quantum terminal, at least one receiving quantum terminal and at least one credible repeater;
the sending quantum terminal is used for encrypting the relay key to be sent by using the sending encryption key to obtain a first relay key and then sending the first relay key to the next node; wherein the transmit encryption key corresponds to a relay decryption key at the next node;
each trusted repeater includes:
the key encryption module is used for storing a preset key encryption key and encrypting the relay decryption key through the preset key encryption key to obtain an encrypted relay decryption key; the relay encryption key is further used for encrypting the relay encryption key through the preset key encryption key to obtain an encrypted relay encryption key;
the key relay forwarding module is used for decrypting the first relay key through the encrypted relay decryption key after receiving the first relay key from the previous node so as to obtain an encrypted relay key; the relay node is further configured to encrypt the encrypted relay key using the encrypted relay encryption key to obtain a second relay key when the encrypted relay key is sent to a next node; wherein the relay encryption key corresponds to a receive decryption key at the next node;
a key cache module for storing the encrypted relay decryption key and the encrypted relay encryption key;
and the receiving quantum terminal is used for decrypting by using the receiving decryption key after receiving the second relay key sent by the previous node to obtain the relay key.
Further, a sending key encryption key is preset at the sending quantum terminal to encrypt the sending encryption key so as to generate an encrypted sending encryption key; a receiving key encryption key is preset at the receiving quantum terminal to encrypt the receiving decryption key so as to generate an encrypted receiving decryption key; the system specifically comprises;
the transmitting quantum terminal is used for encrypting the transmitting encryption key and the relay key respectively by using a preset transmitting key encryption key so as to generate an encrypted transmitting encryption key and an encrypted relay key respectively; the relay node is further configured to encrypt the encrypted relay key to be sent by using the encrypted sending encryption key to obtain a first relay key, and then send the first relay key to a next node; wherein the transmit encryption key corresponds to a relay decryption key at the next node;
wherein each of the trusted repeaters comprises:
the key encryption module is used for storing a preset key encryption key and encrypting the relay decryption key through the preset key encryption key to obtain an encrypted relay decryption key; the relay encryption key is further used for encrypting the relay encryption key through the preset key encryption key to obtain an encrypted relay encryption key;
the key relay forwarding module is used for decrypting the first relay key through the encrypted relay decryption key after receiving the first relay key from the previous node so as to obtain an encrypted relay key; the relay node is further configured to encrypt the encrypted relay key using the encrypted relay encryption key to obtain a second relay key when the encrypted relay key is sent to a next node; wherein the relay encryption key corresponds to a receive decryption key at the next node;
a key cache module for storing the encrypted relay decryption key and the encrypted relay encryption key;
the receiving quantum terminal is used for encrypting the receiving decryption key by using a preset receiving key encryption key so as to generate an encrypted receiving decryption key; and the relay node is further configured to decrypt, after receiving the second relay key sent by the previous node, by using the encrypted reception decryption key, to obtain an encrypted relay key.
Preferably, the sending encryption key and the relay decryption key are shared quantum keys generated through a QKD process, and are in one-to-one correspondence; the relay encryption key and the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the receiving decryption key correspond to each other one by one.
Preferably, the key encryption module is a hardware chip, and a key encryption key in the chip cannot be derived.
Preferably, the key encryption module is further configured to receive a quantum key, and periodically update the key encryption key through the quantum key.
The technical scheme provided by the invention has the beneficial effects that:
a. the application range is wide, the realization scheme has little influence on the application range of the credible repeater, the safety of the credible repeater is enhanced under the condition of ensuring the expansibility of the original network, and the realization scheme is suitable for building various relay networks;
b. the safety of the relay key is enhanced, the falling of the plaintext of the relay key is avoided in the key relay process, the risk of relay key leakage is reduced, and the safety of the key relay process is ensured;
c. the security of the quantum key is enhanced, and the quantum key in the key cache module of the key management layer is encrypted and stored by using the key encryption key, so that the security of the quantum key is enhanced;
d. the method and the system have the advantages that the flows are consistent, the realization is convenient, the scheme can be suitable for all the nodes, the consistency of the flows of all the nodes is ensured, the realization is simple, and the maintenance is convenient.
Drawings
FIG. 1 is a schematic diagram of a key relay process in the prior art;
FIG. 2 is a schematic diagram of a prior art quantum communication network;
FIG. 3 is a schematic diagram of a workflow of an embodiment of the present invention when a trusted repeater is used;
FIG. 4 is a schematic diagram of a workflow when multiple trusted repeaters are employed in an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a trusted repeater according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a workflow of full-node security enhancement according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a workflow of security enhancement at a trusted relay node and a sending node (sending quantum terminal) in an embodiment of the present invention;
fig. 8 is a schematic view of a workflow of security enhancement at a trusted relay node and a receiving node (receiving quantum terminal) in an embodiment of the present invention;
FIG. 9 is a key relay diagram of a star network with enhanced security of trusted repeaters in an embodiment of the present invention;
fig. 10 is a schematic key relay diagram of a star network with enhanced full-node security in an embodiment of the present invention;
FIG. 11 is a key relay diagram for central distribution in an embodiment of the invention;
FIG. 12 is a key relay diagram of a multi-node shared key according to an embodiment of the present invention;
FIG. 13 is a diagram illustrating a system for enhancing security of a key management layer according to an embodiment of the present invention;
the related symbols in the whole text explain:
KR: a relay key;
KAB: sending an encryption key;
KR⊕KAB: a first relay key;
KBA: relayDecrypting the key;
KBC: a relay encryption key;
KR⊕KBC: a second relay key;
KCB: receiving a decryption key;
KB: a preset key encryption key;
KR⊕KA: an encrypted relay key;
KR⊕KB: an encrypted relay key;
KR⊕KC: an encrypted relay key;
KBA⊕KB: an encrypted relay decryption key;
KBC⊕KB: an encrypted relay encryption key;
KA: a preset sending key encryption key;
KAB⊕KA: an encrypted transmit encryption key;
KC: a preset receiving key encryption key;
KCB⊕KC: the encrypted receive decryption key.
Detailed Description
The key point of the technical scheme of the invention is that a key encryption key is preset at the trusted repeater and used for encrypting the key stored in the key cache module, so that the key stored in the key cache module is the encrypted key. Therefore, after the trusted repeater receives the encrypted relay key, the relay key cannot be stored in a plaintext form between two processes of decryption and re-encryption, and the safety of the quantum communication network is improved. In a preferred embodiment of the present invention, a key encryption key for encrypting the relay key may be input to a hardware chip for updating, encrypting, and decrypting operations by a preset method, so as to ensure the security of the key encryption key. Meanwhile, the key encryption key can be updated regularly according to needs, so that the freshness and the safety of the key are further enhanced. Preferably, the key encryption key is periodically updated by the quantum key.
The security enhancement method of the invention can also be used for security enhancement of all nodes on the relay process (or relay link), is not limited to a trusted relay, and is also suitable for a relay initiating node and a relay destination node. The security enhancement method can be used for key relay of a linear network structure and key relay of a star network structure, and after the security enhancement scheme is used, the key relay process is basically consistent with the original process, and the implementation of the key relay process of the star network structure cannot be influenced.
The security enhancement method can also be used for a key relay process of distributing relay keys from the trusted relay nodes to the quantum terminal nodes at two ends, can be suitable for a full-node security enhancement network, and can also be suitable for a network only with the security enhancement of the trusted relay. The same applies to key distribution of multi-node shared keys.
The security enhancement method is also suitable for security enhancement of the key management layer, realizes no-plaintext key processing of the key management layer, and enhances the security of the whole key management system.
As an example, in the embodiment of the present invention, an exclusive or algorithm is used as an encryption and decryption algorithm, which specifically includes: 0 ≦ 0=0, 1 ≦ 0=1, 0 ≦ 1=1, 1 ≦ 1= 0.
The following detailed description of the embodiments of the present invention is provided with reference to the accompanying drawings, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented.
Example 1
The embodiment of the invention provides a secret key encryption method of a trusted repeater. In order to make the whole process clearer, fig. 3 and 4 are schematic diagrams of the trusted repeater applied to a quantum communication network. FIGS. 3 and 4 show the application of the above scheme to one trusted repeater and the application of the above scheme to a plurality of trusted repeaters (n is a positive integer in FIG. 4, n ≧ 2), respectively. As can be seen from fig. 3 and 4, compared with the prior art, a preset key encryption key is added to each trusted repeater for encrypting the key stored in the key cache module. Since the workflow of each trusted repeater is the same, the specific steps shown in fig. 3 are:
step 101, the trusted relay B receives a first relay key K sent by a previous nodeR⊕KABThereafter, the key K is decrypted by the encrypted relayBA⊕KBFor the first relay key KR⊕KABDecrypting to obtain an encrypted relay key KR⊕KB(ii) a Wherein the encrypted relay decryption key KBA⊕KBIs to encrypt a secret key K by using a preset secret keyBDecrypting the key K for the relayBAGenerated after encryption, the first relay key KR⊕KABThe last node utilizes the relay decryption key KBACorresponding transmission encryption key KABFor relay key KRGenerated after encryption, the encrypted relay key KR⊕KBObtained by the following formula: kR⊕KAB⊕KBA⊕KB=KR⊕KB
102, the trusted relay B sends the encrypted relay key K to the next nodeR⊕KBThen, the encrypted relay encryption key K is reusedBC⊕KBFor the encrypted relay key KR⊕KBEncrypting to obtain a second relay key KR⊕KBC(ii) a Wherein the encrypted relay encryption key KBC⊕KBIs to encrypt a secret key K by using the preset secret keyBEncrypting the key K to the relayBCGenerated after encryption, the relay encryption key KBCWith a receive decryption key K at the next nodeCBCorrespondingly, the second relay key KR⊕KBCObtained by the following formula: kR⊕KB⊕KBC⊕KB=KR⊕KBC
Specifically, in step 101 and step 102, the key K may be encrypted by using a preset keyBDecrypting the Relay Key K in the Key cache Module of trusted repeater BBAAnd a relay encryption key KBCRespectively pre-encrypted to obtain the encrypted relay decryption key K in the above exampleBA⊕KBAnd encrypted relay encryption key KBC⊕KB. Preferably, the sending encryption key KABWith said relay decryption key KBAThe method comprises the steps of generating a shared quantum key through a QKD process, wherein the shared quantum key and the quantum key are in one-to-one correspondence; the relay encryption key KBCAnd the receiving decryption key KCBAre shared quantum keys generated by the QKD process, one-to-one correspondence. Of course, those skilled in the art will understand that the sending encryption key K in the embodiment of the present inventionABAnd relay decryption key KBARelay encryption key KBCAnd receiving a decryption key KCBCan be obtained in any way, and the embodiment of the invention does not limit the invention.
Preferably, the key encrypts a key KBPre-stored in the hardware chip of the trusted repeater B for updating, encrypting and decrypting operations, and the key in said chip encrypts the key KBCannot be derived to ensure that the key encrypts the key KBThe safety of (2). At the same time, the key encrypts a key KBAnd the key can be updated regularly as required, so that the freshness and the safety of the key are further enhanced. Preferably, the key K may be encrypted by a quantum keyBPeriodic updates are performed. For quantum communication networks with multiple trusted repeaters, a different key encryption key may be set for each trusted repeater.
Specifically, as shown in fig. 3, there is only one trusted relay, so the last node in the foregoing method must be the sending relay key KRAnd the next node is necessarily the receiving relay key KRReceiving quantum terminal C. For multiple trusted repeaters as shown in fig. 4, the last node in the foregoing method may be to send the relay key KRThe sending quantum terminal a of (2) may also be another trusted repeater; and the next node may be the receiving relay key KRMay also be a further trusted repeater.
It should be noted that, as can be understood by those skilled in the art, the sending encryption key and the relay encryption key, and the relay decryption key and the receiving decryption key in the embodiment of the present invention are all relative concepts, and are all encryption keys and decryption keys participating in the encryption and the transfer of the relay key, and there is no substantial difference. When the last node of the credible repeater is a sending quantum terminal, the sending encryption key at the last node corresponds to the relay decryption key at the credible repeater; and when the last node of the trusted repeater is another trusted repeater, the relay encryption key at the last node corresponds to the relay decryption key at the trusted repeater. Similarly, when the next node of the trusted repeater is a receiving quantum terminal, the relay encryption key at the trusted repeater corresponds to the receiving decryption key at the next node; when the next node of the trusted repeater is another trusted repeater, the relay encryption key at the trusted repeater corresponds to the relay decryption key at the next node. Of course, those skilled in the art can also understand that the first relay key and the second relay key in the embodiment of the present invention are also relative concepts, and are encrypted relay keys generated according to encryption keys participating in relay key encryption relay, and there is no substantial difference.
Thus, the first relay key K is received at the trusted relay BR⊕KABThereafter, the key K is decrypted using the encrypted relayBA⊕KBWhen decryption is carried out, the encrypted relay key K can be directly obtainedR⊕KBRather than the relay key K in the clearR. So that the trusted repeater B does not store the clear relay key K before subsequent encryption is performedRAnd the safety of the whole system is improved. While the change is to all other nodesIs transparent and therefore does not require changes to the existing system topology.
In the above embodiment, as shown in fig. 3, the entire transmission flow passes through only one trusted repeater (i.e., the trusted repeater B). As shown in fig. 4, the whole transmission flow passes through a plurality of trusted repeaters (e.g. trusted repeater B shown in fig. 4)1……Trusted repeater Bn) Thus, in the method shown in fig. 4, each trusted repeater B needs to perform a method similar to steps 101 and 102.
Example 2
Meanwhile, an embodiment of the present invention further provides a key encryption device of a trusted repeater corresponding to embodiment 1, where the structure of the key encryption device is shown in fig. 5, and the key encryption device includes a key encryption module, a key relay forwarding module, and a key caching module;
a key encryption module for storing a preset key encryption key KBAnd encrypting the secret key K by a preset secret keyBDecrypting the key K for the relayBAEncryption to obtain an encrypted relay decryption key KBA⊕KB(ii) a And also for encrypting a secret key K by means of said preset secret keyBEncrypting the key K to the relayBCEncrypting to obtain an encrypted relay encryption key KBC⊕KB
A key relay forwarding module for receiving a first relay key K from a previous nodeR⊕KABThereafter, the key K is decrypted by said encrypted relayBA⊕KBFor the first relay key KR⊕KABDecrypting to obtain an encrypted relay key KR⊕KB(ii) a Wherein the first relay key KR⊕KABThe last node utilizes the relay decryption key KBACorresponding transmission encryption key KABFor relay key KRGenerated after encryption, the encrypted relay key KR⊕KBObtained by the following formula: kR⊕KAB⊕KBA⊕KB=KR⊕KB(ii) a Also for the nextThe node sends the encrypted relay key KR⊕KBThen, the encrypted relay encryption key K is reusedBC⊕KBFor the encrypted relay key KR⊕KBEncrypting to obtain a second relay key KR⊕KBC(ii) a Wherein the relay encryption key KBCWith a receive decryption key K at the next nodeCBCorrespondingly, the second relay key KR⊕KBCObtained by the following formula: kR⊕KB⊕KBC⊕KB=KR⊕KBC
A key cache module for storing the encrypted relay decryption key KBA⊕KBAnd encrypted relay encryption key KBC⊕KB
Preferably, the sending encryption key KABWith said relay decryption key KBAThe method comprises the steps of generating a shared quantum key through a QKD process, wherein the shared quantum key and the quantum key are in one-to-one correspondence; the relay encryption key KBCAnd the receiving decryption key KCBAre shared quantum keys generated by the QKD process, one-to-one correspondence.
Preferably, the key encryption module is a hardware chip, and a key encryption key K in the chipBCannot be derived to ensure that the key encrypts the key KBThe safety of (2). At the same time, the key encrypts a key KBAnd the key can be updated regularly as required, so that the freshness and the safety of the key are further enhanced. Preferably, the key encryption module is further configured to receive a quantum key and encrypt the key K with the quantum keyBPeriodic updates are performed.
Example 3
Meanwhile, the embodiment of the invention also provides a secret key encryption method for the quantum communication network, which comprises one or more trusted repeaters as shown in fig. 3 and fig. 4. Compared with the prior art, each trusted repeater is added with a preset key encryption key for encrypting the relay encryption key and the relay decryption key. Since the workflow of each trusted repeater is the same, the method shown in fig. 3 is specifically as follows:
step 701, sending a relay key K to be sent by the quantum terminal ARUsing a transmit encryption key KABObtaining a first relay secret key K after encryptionR⊕KABThen the first relay key K is usedR⊕KABSending to the next node; wherein the sending encryption key KABRelay decryption key K with the next nodeBACorresponding;
step 702, the trusted relay B receives the first relay key K sent by the previous nodeR⊕KABThereafter, the key K is decrypted by the encrypted relayBA⊕KBFor the first relay key KR⊕KABDecrypting to obtain an encrypted relay key KR⊕KB(ii) a Wherein the encrypted relay decryption key KBA⊕KBIs to encrypt a secret key K by using a preset secret keyBDecrypting the key K for the relayBAGenerated after encryption, the encrypted relay key KR⊕KBObtained by the following formula: kR⊕KAB⊕KBA⊕KB=KR⊕KB
Step 703, the trusted relay B sends the encrypted relay key K to the next nodeR⊕KBThen, the encrypted relay encryption key K is reusedBC⊕KBFor the encrypted relay key KR⊕KBEncrypting to obtain a second relay key KR⊕KBCThen the second relay key K is usedR⊕KBCSending to the next node; wherein the encrypted relay encryption key KBC⊕KBIs to encrypt a secret key K by using the preset secret keyBEncrypting the key K to the relayBCGenerated after encryption, the relay encryption key KBCWith a receive decryption key K at the next nodeCBCorrespondingly, the second relay key KR⊕KBCObtained by the following formula: kR⊕KB⊕KBC⊕KB=KR⊕KBC
Step 704, the receiving quantum terminal C receives the second relay key K sent by the previous nodeR⊕KBCThereafter, using said received decryption key KCBPerform decryption (K)R⊕KBC⊕KCB=KR) Obtaining the relay key KR
In the above method, if there are a plurality of trusted repeaters, each trusted repeater needs to perform a method similar to steps 702 and 703. Specifically, as shown in fig. 3, there is only one trusted relay, so the last node in the foregoing method must be the sending relay key KRAnd the next node is necessarily the receiving relay key KRQuantum terminal C of (1). For multiple trusted repeaters as shown in fig. 4, the last node in the foregoing method may be to send the relay key KRMay also be another trusted repeater. And the next node may be the receiving relay key KRMay also be a further trusted repeater.
Example 4
Based on embodiment 3, embodiment 4 proposed by the embodiment of the present invention is as shown in fig. 6, and a preset sending key encryption key K may be added to the sending quantum terminal aATo transmit an encryption key KABEncrypting to generate an encrypted transmission encryption key KAB⊕KA. The preset receiving key encryption key K can be added to the receiving quantum terminal CCTo receive a decryption key KCBEncrypting to generate an encrypted reception decryption key KCB⊕KC
Then, the specific process is as shown in fig. 8, and includes:
step 801, the sending quantum terminal A encrypts the secret key K by using a preset sending secret keyARespectively for transmitting the encryption key KABAnd a relay key KREncrypting to generate encrypted transmission encryption keys KAB⊕KAAnd encrypted relay key KR⊕KA
Step 802, sending the encrypted relay key K to be sent by the quantum terminal AR⊕KASending an encryption key K using said encryptionAB⊕KAObtaining a first relay secret key K after encryptionR⊕KABThen the first relay key K is usedR⊕KABSending to the next node; wherein the sending encryption key KABRelay decryption key K with the next nodeBACorresponding;
step 803, the trusted relay B receives the first relay key K sent by the previous nodeR⊕KABThereafter, the key K is decrypted by the encrypted relayBA⊕KBFor the first relay key KR⊕KABDecrypting to obtain an encrypted relay key KR⊕KB(ii) a Wherein the encrypted relay decryption key KBA⊕KBIs to encrypt a secret key K by using a preset secret keyBDecrypting the key K for the relayBAGenerated after encryption, the encrypted relay key KR⊕KBObtained by the following formula: kR⊕KAB⊕KBA⊕KB=KR⊕KB
Step 804, the trusted relay B sends the encrypted relay key K to the next nodeR⊕KBThen, the encrypted relay encryption key K is reusedBC⊕KBFor the encrypted relay key KR⊕KBEncrypting to obtain a second relay key KR⊕KBCThen the second relay key K is usedR⊕KBCSending to the next node; wherein the encrypted relay encryption key KBC⊕KBIs to encrypt a secret key K by using the preset secret keyBEncrypting the key K to the relayBCGenerated after encryption, the relay encryption key KBCWith a receive decryption key K at the next nodeCBCorrespondingly, the second relay key KR⊕KBCObtained by the following formula: kR⊕KB⊕KBC⊕KB=KR⊕KBC
Step 805, the receiving quantum terminal C receives the second relay key K sent by the previous nodeR⊕KBCThereafter, the encrypted reception decryption key K is usedCB⊕KCPerform decryption (K)R⊕KBC⊕KCB⊕KC=KR⊕KC) Obtaining an encrypted relay key KR⊕KC(ii) a Wherein the encrypted reception decryption key KCB⊕KCThe receiving quantum terminal C encrypts a secret key K by using a preset receiving secret keyCDecrypting the key K for the receptionCBGenerated after encryption.
Example 5
Further, on the basis that the key encryption key is added to the trusted relay node, a preset sending key encryption key K may be added only to the sending quantum terminal aATo transmit an encryption key KABCarrying out encryption, wherein the specific flow is shown in FIG. 7; in addition, on the basis that the key encryption key is added to the trusted relay node, a preset receiving key encryption key K may be added only to the receiving quantum terminal CCTo receive a decryption key KCBThe specific flow of encryption is shown in fig. 8.
Example 6
Preferably, in embodiments 3 to 5, the transmission encryption key KABWith said relay decryption key KBAThe method comprises the steps of generating a shared quantum key through a QKD process, wherein the shared quantum key and the quantum key are in one-to-one correspondence; the relay encryption key KBCAnd the receiving decryption key KCBAre shared quantum keys generated by the QKD process, one-to-one correspondence.
As a further improvement to the foregoing embodiment, the key encryption key may be pre-stored in a hardware chip for updating, encrypting and decrypting operations, and it is ensured that the key encryption key in the chip cannot be derived to ensure the security of the key encryption key. For quantum communication networks, different key encryption keys may be set for each node. Meanwhile, the key encryption key of each node can be updated regularly according to needs, so that the freshness and the safety of the key are further enhanced. Preferably, the key encryption key is periodically updated by a quantum key.
Example 7
Meanwhile, an embodiment of the present invention further provides a key encryption system of a quantum communication network corresponding to the foregoing embodiments 3 to 6, including at least one sending quantum terminal a, at least one receiving quantum terminal C, and at least one trusted repeater B;
a transmitting quantum terminal A for transmitting the relay key KRUsing a transmit encryption key KABObtaining a first relay secret key K after encryptionR⊕KABThen the first relay key K is usedR⊕KABSending to the next node; wherein the sending encryption key KABRelay decryption key K with the next nodeBACorresponding;
each trusted repeater B includes:
a key encryption module for storing a preset key encryption key KBAnd encrypting the secret key K by a preset secret keyBDecrypting the key K for the relayBAEncryption to obtain an encrypted relay decryption key KBA⊕KB(ii) a And also for encrypting a secret key K by means of said preset secret keyBEncrypting the key K to the relayBCEncrypting to obtain an encrypted relay encryption key KBC⊕KB
A key relay forwarding module for receiving a first relay key K from a previous nodeR⊕KABThereafter, the key K is decrypted by said encrypted relayBA⊕KBFor the first relay key KR⊕KABDecrypting to obtain an encrypted relay key KR⊕KB(ii) a The encrypted relay key KR⊕KBObtained by the following formula: kR⊕KAB⊕KBA⊕KB=KR⊕KB(ii) a And is also used for sending the encrypted relay key K to the next nodeR⊕KBThen, the encrypted relay encryption key K is reusedBC⊕KBFor the encrypted relay key KR⊕KBEncrypting to obtain a second relay key KR⊕KBC(ii) a Wherein the relay encryption key KBCWith a receive decryption key K at the next nodeCBCorrespondingly, the second relay key KR⊕KBCObtained by the following formula: kR⊕KB⊕KBC⊕KB=KR⊕KBC
A key cache module for storing the encrypted relay decryption key KBA⊕KBAnd encrypted relay encryption key KBC⊕KB
A receiving quantum terminal C for receiving the second relay key K sent by the previous nodeR⊕KBCThereafter, using said received decryption key KCBPerform decryption (K)R⊕KBC⊕KCB=KR) Obtaining the relay key KR
Example 8
On the basis of embodiment 7, a preset sending key encryption key K can be added to the sending quantum terminal aAFor encrypting the transmission key KABEncrypting to generate an encrypted transmission encryption key KAB⊕KA(ii) a The preset receiving key encryption key K can be added to the receiving quantum terminal CCFor decrypting a key K on receptionCBEncrypting to generate an encrypted reception decryption key KCB⊕KC. Namely, the system specifically includes:
a transmitting quantum terminal A for encrypting the secret key K by using a preset transmitting secret keyARespectively for transmitting the encryption key KABAnd a relay key KREncrypting to generate encrypted transmission encryption keys KAB⊕KAAnd encrypted relay key KR⊕KA(ii) a And also for the encrypted relay key K to be transmittedR⊕KASending an encryption key K using said encryptionAB⊕KAObtaining a first relay secret key K after encryptionR⊕KABThen the first relay key K is usedR⊕KABSending to the next node; wherein the sending encryption key KABRelay decryption key K with the next nodeBACorresponding;
wherein each of the trusted repeaters B comprises:
a key encryption module for storing a preset key encryption key KBAnd encrypting the secret key K by a preset secret keyBDecrypting the key K for the relayBAEncryption to obtain an encrypted relay decryption key KBA⊕KB(ii) a And also for encrypting a secret key K by means of said preset secret keyBEncrypting the key K to the relayBCEncrypting to obtain an encrypted relay encryption key KBC⊕KB
A key relay forwarding module for receiving a first relay key K from a previous nodeR⊕KABThereafter, the key K is decrypted by said encrypted relayBA⊕KBFor the first relay key KR⊕KABDecrypting to obtain an encrypted relay key KR⊕KB(ii) a The encrypted relay key KR⊕KBObtained by the following formula: kR⊕KAB⊕KBA⊕KB=KR⊕KB(ii) a And is also used for sending the encrypted relay key K to the next nodeR⊕KBThen, the encrypted relay encryption key K is reusedBC⊕KBFor the encrypted relay key KR⊕KBEncrypting to obtain a second relay key KR⊕KBC(ii) a Wherein the relay encryption key KBCWith a receive decryption key K at the next nodeCBCorrespondingly, the second relay key KR⊕KBCObtained by the following formula: kR⊕KB⊕KBC⊕KB=KR⊕KBC
A key cache module for storing the encrypted relay decryption key KBA⊕KBAnd encrypted relay encryption key KBC⊕KB
A receiving quantum terminal C for encrypting the secret key K by using a preset receiving secret keyCDecrypting the key K for the receptionCBEncrypting to generate an encrypted reception decryption key KCB⊕KC(ii) a And is also used for receiving a second relay key K sent by the last nodeR⊕KBCThen, the encrypted reception decryption key K is usedCB⊕KCPerform decryption (K)R⊕KBC⊕KCB⊕KC=KR⊕KC) Obtaining an encrypted relay key KR⊕KC
Example 9
Based on embodiment 7, as shown in fig. 7, in embodiment 9 provided in this embodiment of the present invention, on the basis that the trusted relay node adds the key encryption key, a preset transmission key encryption key K may be added only to the transmission quantum terminal aAFor encrypting the transmission key KABEncrypting to generate an encrypted transmission encryption key KAB⊕KA. As shown in fig. 8, in addition to the addition of the key encryption key by the trusted relay node, a preset receiving key encryption key K may be added only to the receiving quantum terminal CCFor decrypting a key K on receptionCBEncrypting to generate an encrypted reception decryption key KCB⊕KC
Preferably, in embodiments 7 to 9, the transmission encryption key KABWith said relay decryption key KBAThe method comprises the steps of generating a shared quantum key through a QKD process, wherein the shared quantum key and the quantum key are in one-to-one correspondence; the relay encryption key KBCAnd the receiving decryption key KCBAre shared quantum keys generated by the QKD process, one-to-one correspondence.
As a further improvement to the foregoing embodiment, the key encryption module is a hardware chip, and a key encryption key K in the chip is used for encrypting the keyBCannot be derived to ensure that the key encrypts the key KBThe safety of (2). At the same time, the key encrypts a key KBAnd can be updated periodically according to the need to further strengthen the secret keyFreshness and safety. Preferably, the key encryption module is further configured to receive a quantum key and encrypt the key K with the quantum keyBPeriodic updates are performed.
Example 10
The foregoing embodiments are all described by taking a one-to-one linear network topology as an example. The embodiment of the invention can also be applied to a quantum communication network with a star network topology structure. As shown in fig. 9, the security of the intermediate point of the star-type 4-node network structure is enhanced, and after the security enhancement scheme is used, the key relay flow is basically consistent with the original flow, and the implementation of the key relay flow of the star-type network is not affected. If the sending quantum terminal A distributes the keys to the receiving quantum terminal C and the receiving quantum terminal D respectively, relay processes are consistent, and the process differentiation caused by the fact that a plurality of quantum terminals are connected through the trusted relay is avoided, and the implementation difficulty is increased. The key encryption method of the trusted repeater B corresponds to that of embodiment 1 one-to-one, but it is only necessary to encrypt the relay key K for each received oneR1⊕KABOr KR2⊕KABAll adopt respectively encrypted relay decryption keys KBA⊕KBCarrying out decryption; the encrypted relay encryption key K is also adopted for each sent encrypted relay keyBC⊕KBAnd KBD⊕KBEncryption is performed.
Example 11
In the quantum communication network with the star network topology in the foregoing embodiment 10, a preset transmission key encryption key K may be added to the transmission quantum terminal a by using the method as in embodiment 4AFor encrypting the transmission key KABEncrypting to generate an encrypted transmission encryption key KAB⊕KA. Preset receiving key encryption keys K can be respectively added to the receiving quantum terminal C and the receiving quantum terminal DCAnd KDFor decrypting the secret key K separately from the receptionCBAnd KDBEncrypting to generate encrypted reception decryption keys KCB⊕KCAnd KDB⊕KD. The specific flow is shown in FIG. 10, whereAnd will not be described in detail.
Example 12
In the system shown in fig. 11 and 12, the relay key K can be shared by a plurality of quantum terminalsR. As shown in fig. 12, the trusted repeater B connects the quantum terminal a, the quantum terminal C, and the quantum terminal D at the same time, and relays the key KRTo the three quantum terminals. The method comprises the following specific steps:
step 1601, at the quantum terminal a, first use the key encryption key KAFor receiving decryption key KABEncrypting and storing; at the trusted repeater B, a preset secret key is used for encrypting a secret key KBFor sending an encryption key KBA、KBC、KBDEncrypting and storing; on the quantum terminal C, firstly, the secret key K is encrypted by using the secret keyCFor receiving decryption key KCBEncrypting and storing; on the quantum terminal D, firstly, the secret key K is encrypted by using the secret keyDFor receiving decryption key KDBEncrypting and storing;
step 1602, respectively sending relay keys K to the sub-terminal A, the sub-terminal C and the sub-terminal D in the trusted repeater BRThe trusted repeater B then encrypts the relay key KR⊕KBUsing respectively encrypted transmission encryption keys KBA⊕KB、KBC⊕KBAnd KBD⊕KBAfter being encrypted, the data are respectively sent to a quantum terminal A, a quantum terminal C and a quantum terminal D; the specific process is the same as the process for transmitting a single quantum terminal in the foregoing implementation, but is repeated 3 times, and is not described herein again;
step 1603, the quantum terminal A receives the encrypted relay key KR⊕KBAUsing the encrypted receive decryption key KAB⊕KAAfter decryption, obtaining an encrypted relay key KR⊕KA(ii) a Quantum terminal C receives encrypted relay key KR⊕KBCUsing the encrypted receive decryption key KCB⊕KCAfter decryption, obtaining an encrypted relay key KR⊕KC(ii) a Quantum terminal D receives encrypted relay key KR⊕KBDUsing the encrypted receive decryption key KDB⊕KDAfter decryption, obtaining an encrypted relay key KR⊕KD
Example 13
The embodiment of the invention also provides a security enhancement method of the quantum key management layer, so as to realize the processing of the key management layer without a plaintext key and enhance the security of the whole key management system. Specifically, as shown in fig. 13, the entire quantum communication network may be divided into a key generation layer, a key management layer, and an application layer. The application layer can comprise an application device A and an application device C, and the key management layer comprises a key management device A and at least one key management device Bn(n is a positive integer, n is not less than 1), and a key management device C. Wherein, if the example shown in fig. 3 is taken as an example, the key management device a and the key management device C are respectively used for managing the keys of the transmitting quantum terminal a and the receiving quantum terminal C, and the key management device B1May be used to manage the relay decryption key and the relay encryption key of the trusted repeater B.
The working process is as follows:
step 1701, the key generation device a1 is preset with a key K for sending encryptionABEncrypted transmission key encryption key KAThen, the key generation device a1 encrypts the transmission key with the key KASynchronizing to the application device A; k can be realized, for example, by means of a removable memoryASynchronization and update;
step 1702, the key generation device A1 and the key generation device B1 perform Quantum Key Distribution (QKD) to generate the sending encryption key KABThereafter, the key K is encrypted using the transmission keyAObtaining an encrypted transmission encryption key K after encryptionAB⊕KA(ii) a Sending encrypted encryption key KAB⊕KATransmitted to the key management device A for storage as a relay key K for sending encryption to the device of the next nodeR⊕KAThen, the encrypted transmission encryption key K is usedAB⊕KATo the encrypted relay key KR⊕KAEncrypting to obtain an encrypted relay key KR⊕KAB
Step 1703, the key sent by the key management device a to the application device a is the encrypted relay key KR⊕KA(ii) a Before using service key, application equipment A uses transmission key to encrypt key KADecrypting to obtain the relay key KRThen the relay key K is transmittedRAs a traffic key.
The workflow of the node C is identical to that of the node A, as shown in step 1701 and 1703.
Through the reconstruction of the key storage and key relay processes in the above way, the system of the key management layer can ensure that:
a. the key stored on the key management device is an encrypted key, and neither the generated key nor the relayed key is a plaintext key;
b. the key management device does not need to store a key encryption key, and does not need to restore the encrypted key into a plaintext key, so that the security of the key is enhanced;
c. in the key relay process, the relayed keys are in an encrypted state from the beginning to the end, and no plaintext keys are needed to participate in the relay process, and the specific process is shown in fig. 6. The key for completing the relay exists in an encrypted form, such as: key management devices A and B1The last relay key obtained above is respectively KR⊕KA、KR⊕KB1
d. When the key is transmitted among the devices of the key management layer, the key generation layer and the application layer, the keys are encrypted, so that the secure transmission of the keys is ensured.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (20)

1. A key encryption method for a trusted repeater, comprising:
step 101, after receiving a first relay key sent by a previous node, a trusted relay decrypts the first relay key through an encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting a relay decryption key by using a preset key encryption key, and the first relay key is generated by encrypting the relay key by using a sending encryption key corresponding to the relay decryption key by the previous node; the relay decryption key and the sending encryption key are symmetric keys;
step 102, when the trusted relay sends the encrypted relay key to the next node, encrypting the encrypted relay key by using the encrypted relay encryption key to obtain a second relay key; the encrypted relay encryption key is generated after the relay encryption key is encrypted by using the preset key encryption key, corresponds to the receiving decryption key at the next node and is a symmetric key;
the algorithm adopted by the encryption and the decryption is an exclusive-or algorithm.
2. The key encryption method for the trusted repeater according to claim 1, wherein the sending encryption key and the relay decryption key are shared quantum keys generated through a QKD process, and are in one-to-one correspondence; the relay encryption key and the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the receiving decryption key correspond to each other one by one.
3. The key encryption method of the trusted repeater according to claim 1, wherein the key encryption key is pre-stored in a hardware chip of the trusted repeater for updating, encrypting and decrypting operations, and the key encryption key in the chip cannot be derived.
4. The key encryption method of the trusted repeater according to any one of claims 1 to 3, wherein the key encryption key is periodically updated by a quantum key.
5. A key encryption apparatus of a trusted repeater, comprising:
the key encryption module is used for storing a preset key encryption key and encrypting the relay decryption key through the preset key encryption key to obtain an encrypted relay decryption key; the relay encryption key is further used for encrypting the relay encryption key through the preset key encryption key to obtain an encrypted relay encryption key;
the key relay forwarding module is used for decrypting the first relay key through the encrypted relay decryption key after receiving the first relay key from the previous node so as to obtain an encrypted relay key; the first relay key is generated after the previous node encrypts a relay key by using a sending encryption key corresponding to the relay decryption key; the relay decryption key and the sending encryption key are symmetric keys; the relay node is further configured to encrypt the encrypted relay key using the encrypted relay encryption key to obtain a second relay key when the encrypted relay key is sent to a next node; wherein the relay encryption key corresponds to the receive decryption key at the next node and is a symmetric key;
a key cache module for storing the encrypted relay decryption key and the encrypted relay encryption key;
the algorithm adopted by the encryption and the decryption is an exclusive-or algorithm.
6. The key encryption apparatus of a trusted repeater according to claim 5, wherein the transmission encryption key and the relay decryption key are shared quantum keys generated through a QKD process, in one-to-one correspondence; the relay encryption key and the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the receiving decryption key correspond to each other one by one.
7. The key encryption apparatus of the trusted repeater according to claim 5, wherein the key encryption module is a hardware chip, and a key encryption key in the chip cannot be derived.
8. The key encryption device of the trusted repeater according to any one of claims 5 to 7, wherein the key encryption module is further configured to receive a quantum key and periodically update the key encryption key through the quantum key.
9. A key encryption method for a quantum communication network, comprising:
step 701, the sending quantum terminal encrypts the relay key to be sent by using a sending encryption key to obtain a first relay key, and then sends the first relay key to the next node; wherein the sending encryption key corresponds to the relay decryption key at the next node and is a symmetric key;
step 702, after receiving a first relay key or a second relay key sent by a previous node, a trusted relay decrypts the first relay key or the second relay key through an encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting the relay decryption key by using a preset key encryption key;
step 703, when the trusted relay sends the encrypted relay key to the next node, encrypting the encrypted relay key by using the encrypted relay encryption key to obtain a second relay key; the encrypted relay encryption key is generated after the relay encryption key is encrypted by using the preset key encryption key, when the next node is a trusted repeater, the relay encryption key corresponds to the relay decryption key at the next node and is a symmetric key, and when the next node is a receiving quantum terminal, the relay encryption key corresponds to the receiving decryption key at the next node and is a symmetric key;
step 704, after receiving the second relay key sent by the previous node, the receiving quantum terminal decrypts the second relay key by using the receiving decryption key to obtain the relay key;
when a transmitting quantum terminal in the quantum communication network transmits a relay key to be transmitted to a receiving quantum terminal, the relay key passes through one or more trusted repeaters, and when the relay key passes through a plurality of trusted repeaters, each trusted repeater performs step 702 and step 703;
the algorithm adopted by the encryption and the decryption is an exclusive-or algorithm.
10. The key encryption method for a quantum communication network according to claim 9, wherein a transmission key encryption key is preset at the transmission quantum terminal to encrypt the transmission encryption key to generate an encrypted transmission encryption key; a receiving key encryption key is preset at the receiving quantum terminal to encrypt the receiving decryption key so as to generate an encrypted receiving decryption key;
the method specifically comprises the following steps:
step 801, a sending quantum terminal encrypts a sending encryption key and a relay key respectively by using a preset sending key encryption key to generate an encrypted sending encryption key and an encrypted relay key respectively;
step 802, the sending quantum terminal encrypts the encrypted relay key to be sent by using the encrypted sending encryption key to obtain a first relay key, and then sends the first relay key to the next node; wherein the sending encryption key corresponds to the relay decryption key at the next node and is a symmetric key;
step 803, after receiving the first relay key or the second relay key sent by the previous node, the trusted relay decrypts the first relay key or the second relay key by using the encrypted relay decryption key to obtain an encrypted relay key; the encrypted relay decryption key is generated by encrypting the relay decryption key by using a preset key encryption key;
step 804, when the trusted relay sends the encrypted relay key to the next node, the encrypted relay key is encrypted by using the encrypted relay encryption key to obtain a second relay key, and then the second relay key is sent to the next node; the encrypted relay encryption key is generated after the relay encryption key is encrypted by using the preset key encryption key, when the next node is a trusted repeater, the relay encryption key corresponds to the relay decryption key at the next node and is a symmetric key, and when the next node is a receiving quantum terminal, the relay encryption key corresponds to the receiving decryption key at the next node and is a symmetric key;
step 805, after receiving the second relay key sent by the previous node, the receiving quantum terminal decrypts the second relay key by using the encrypted receiving decryption key to obtain an encrypted relay key; and the encrypted receiving decryption key is generated by encrypting the receiving decryption key by the receiving quantum terminal by using a preset receiving key encryption key.
11. The key encryption method for a quantum communication network according to claim 9 or 10, wherein the sending encryption key and the corresponding relay decryption key are shared quantum keys generated by QKD process, and they are in one-to-one correspondence; the relay encryption key and the corresponding relay decryption key or the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the corresponding relay decryption key or the receiving decryption key are in one-to-one correspondence.
12. The key encryption method of a quantum communication network according to claim 9, wherein the key encryption key is pre-stored in a hardware chip for update, encryption and decryption operations, and the key encryption key in the chip cannot be derived.
13. The key encryption method for a quantum communication network according to claim 9, wherein the key encryption key is periodically updated by a quantum key.
14. The key encryption method for a quantum communication network according to claim 9 or 10, wherein the method further comprises:
step 1701, presetting a sending key encryption key for encrypting the sending encryption key on a key generation device of the sending quantum terminal, and then synchronizing the sending key encryption key to an application device of the sending quantum terminal by the key generation device;
1702, after quantum key distribution is performed between a key generation device of the sending quantum terminal and a key generation device of a next node to generate a sending encryption key of the sending quantum terminal, encrypting the sending encryption key by using the sending encryption key to obtain an encrypted sending encryption key; transmitting the encrypted sending encryption key to a key management device of a sending quantum terminal for storage, so that when the sending quantum terminal sends an encrypted relay key to a device of a next node, the encrypted relay key is encrypted by using the encrypted sending encryption key to obtain the first relay key;
step 1703, the key management device of the sending quantum terminal sends the encrypted relay key to the application device of the sending quantum terminal; before using a service key, an application device of a sending quantum terminal decrypts the encrypted key by using the sending key to obtain a relay key, and then uses the relay key as the service key;
and the sending quantum terminal synchronizes and updates the sending key encryption key through the mobile storage equipment.
15. The key encryption method for a quantum communication network according to claim 9 or 10, wherein the method further comprises:
step 1801, presetting a receiving key encryption key for encrypting a receiving decryption key on a key generation device of the receiving quantum terminal, and then synchronizing the receiving key encryption key to an application device of the receiving quantum terminal by the key generation device;
step 1802, after quantum key distribution is performed on a key generation device of a receiving quantum terminal and a key generation device of a previous node to generate a receiving decryption key of the receiving quantum terminal, encrypting the receiving decryption key by using the receiving key encryption key to obtain an encrypted receiving decryption key; transmitting the encrypted receiving decryption key to a key management device of a receiving quantum terminal for storage, so that when the receiving quantum terminal receives the second relay key sent by the previous node device, the second relay key is decrypted by using the encrypted receiving decryption key to obtain an encrypted relay key;
step 1803, the key management device of the receiving quantum terminal sends the encrypted relay key to the application device of the receiving quantum terminal; before using a service key, an application device of a receiving quantum terminal decrypts the encrypted key by using the receiving key to obtain a relay key, and then uses the relay key as the service key;
and the receiving quantum terminal synchronizes and updates the receiving key encryption key through the mobile storage equipment.
16. A secret key encryption system of a quantum communication network comprises at least one sending quantum terminal, at least one receiving quantum terminal and at least one trusted repeater;
the sending quantum terminal is used for encrypting the relay key to be sent by using the sending encryption key to obtain a first relay key and then sending the first relay key to the next node; wherein the sending encryption key corresponds to the relay decryption key at the next node and is a symmetric key;
each trusted repeater includes:
the key encryption module is used for storing a preset key encryption key and encrypting the relay decryption key through the preset key encryption key to obtain an encrypted relay decryption key; the relay encryption key is further used for encrypting the relay encryption key through the preset key encryption key to obtain an encrypted relay encryption key;
the key relay forwarding module is used for decrypting the first relay key or the second relay key through the encrypted relay decryption key after receiving the first relay key or the second relay key from the previous node to obtain an encrypted relay key; the relay node is further configured to encrypt the encrypted relay key using the encrypted relay encryption key to obtain a second relay key when the encrypted relay key is sent to a next node; when the next node is a trusted repeater, the relay encryption key corresponds to a relay decryption key at the next node and is a symmetric key, and when the next node is a receiving quantum terminal, the relay encryption key corresponds to a receiving decryption key at the next node and is a symmetric key;
a key cache module for storing the encrypted relay decryption key and the encrypted relay encryption key;
the receiving quantum terminal is used for decrypting by using the receiving decryption key after receiving the second relay key sent by the previous node to obtain the relay key;
the algorithm adopted by the encryption and the decryption is an exclusive-or algorithm.
17. The key encryption system of a quantum communication network of claim 16, wherein the system specifically comprises;
the transmitting quantum terminal is used for encrypting the transmitting encryption key and the relay key respectively by using a preset transmitting key encryption key so as to generate an encrypted transmitting encryption key and an encrypted relay key respectively; the relay node is further configured to encrypt the encrypted relay key to be sent by using the encrypted sending encryption key to obtain a first relay key, and then send the first relay key to a next node; wherein the sending encryption key corresponds to the relay decryption key at the next node and is a symmetric key;
wherein each of the trusted repeaters comprises:
the key encryption module is used for storing a preset key encryption key and encrypting the relay decryption key through the preset key encryption key to obtain an encrypted relay decryption key; the relay encryption key is further used for encrypting the relay encryption key through the preset key encryption key to obtain an encrypted relay encryption key;
the key relay forwarding module is used for decrypting the first relay key or the second relay key through the encrypted relay decryption key after receiving the first relay key or the second relay key from the previous node to obtain an encrypted relay key; the relay node is further configured to encrypt the encrypted relay key using the encrypted relay encryption key to obtain a second relay key when the encrypted relay key is sent to a next node; when the next node is a trusted repeater, the relay encryption key corresponds to a relay decryption key at the next node and is a symmetric key, and when the next node is a receiving quantum terminal, the relay encryption key corresponds to a receiving decryption key at the next node and is a symmetric key;
a key cache module for storing the encrypted relay decryption key and the encrypted relay encryption key;
the receiving quantum terminal is used for encrypting the receiving decryption key by using a preset receiving key encryption key so as to generate an encrypted receiving decryption key; and the relay node is further configured to decrypt, after receiving the second relay key sent by the previous node, by using the encrypted reception decryption key, to obtain an encrypted relay key.
18. The key encryption system of a quantum communication network according to claim 16 or 17, wherein the sending encryption key and the corresponding relay decryption key are shared quantum keys generated by QKD process, one-to-one correspondence; the relay encryption key and the corresponding relay decryption key or the receiving decryption key are shared quantum keys generated through a QKD process, and the relay encryption key and the corresponding relay decryption key or the receiving decryption key are in one-to-one correspondence.
19. The key encryption system of the quantum communication network according to claim 16 or 17, wherein the key encryption module is a hardware chip, and a key encryption key in the chip cannot be derived.
20. The key encryption system of the quantum communication network according to claim 16 or 17, wherein the key encryption module is further configured to receive a quantum key and periodically update the key encryption key through the quantum key.
CN201611255339.1A 2016-12-30 2016-12-30 Trusted repeater, and secret key encryption method, device and system of quantum communication network Active CN108270553B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611255339.1A CN108270553B (en) 2016-12-30 2016-12-30 Trusted repeater, and secret key encryption method, device and system of quantum communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611255339.1A CN108270553B (en) 2016-12-30 2016-12-30 Trusted repeater, and secret key encryption method, device and system of quantum communication network

Publications (2)

Publication Number Publication Date
CN108270553A CN108270553A (en) 2018-07-10
CN108270553B true CN108270553B (en) 2020-12-22

Family

ID=62754592

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611255339.1A Active CN108270553B (en) 2016-12-30 2016-12-30 Trusted repeater, and secret key encryption method, device and system of quantum communication network

Country Status (1)

Country Link
CN (1) CN108270553B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110266473A (en) * 2019-04-22 2019-09-20 北京邮电大学 Method, relay node and the distribution method of relay node distribution quantum key
CN111865567B (en) * 2019-04-29 2021-11-30 科大国盾量子技术股份有限公司 Relay method, device, system, equipment and storage medium of quantum key
JP7309668B2 (en) * 2020-07-22 2023-07-18 株式会社東芝 Communication system, key management server device, router and program
CN115242389B (en) * 2022-09-23 2022-12-23 安徽华云安科技有限公司 Data confusion transmission method and system based on multi-level node network

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243143B (en) * 2013-06-08 2017-03-29 科大国盾量子技术股份有限公司 A kind of mobile secret communication method based on quantum key distribution network
CN104113409B (en) * 2014-07-23 2017-09-05 中国科学院信息工程研究所 The key management method and system of a kind of SIP video monitoring networkings system
CN105471576B8 (en) * 2015-12-28 2017-07-21 科大国盾量子技术股份有限公司 A kind of method of quantum key relaying, quantum terminal node and system
CN105915337A (en) * 2016-05-27 2016-08-31 安徽问天量子科技股份有限公司 Quantum encryption microwave relay communication system and quantum encryption microwave relay communication method

Also Published As

Publication number Publication date
CN108270553A (en) 2018-07-10

Similar Documents

Publication Publication Date Title
CN109412794B (en) Quantum key automatic charging method and system suitable for power business
CN105471576B (en) A kind of method of quantum key relaying, quantum terminal node and system
CN106330434B (en) First quantum node, second quantum node, secure communication architecture system and method
CN108270553B (en) Trusted repeater, and secret key encryption method, device and system of quantum communication network
US8170211B2 (en) Hub device for a network comprising quantum cryptographic connections and node module for said hub device
CN113765665B (en) Block chain network based on quantum key and data secure transmission method
CN107437995A (en) Satellite-based wide area quantum communication network system and communication means
CN107094076B (en) Secret communication method based on quantum true random number and communication system
JP2005117511A (en) Quantum cipher communication system and quantum cipher key distributing method used therefor
WO2023082599A1 (en) Blockchain network security communication method based on quantum key
US20110243331A1 (en) Shared random numbers management method and management system in secret communication network
CN110224821A (en) A kind of communication encrypting method of unmanned mobile platform
CN109660337A (en) A kind of communications network system and its cryptographic key distribution method that quantum is merged with classics
Tajima et al. Quantum key distribution network for multiple applications
JP6544519B2 (en) Mobile control system
CN105847001A (en) Device, system and method for digital microwave communication based on quantum encryption
US20240178994A1 (en) Secure symmetric key distribution
KR102047541B1 (en) Method for Quantum Cryptography for Network Combining Ring and Star Structure
CN114401085B (en) Network architecture and key storage method of quantum secret communication network
CN114362936A (en) Secret key relay method in communication network based on quantum secrecy
JP4622866B2 (en) Quantum cryptographic communication system, quantum cryptographic key distribution method used therefor, communication device, and cryptographic communication method used therefor
Lin et al. Quantum key distribution in partially-trusted QKD ring networks
Cho et al. Quantum key distribution as a service
US20230018829A1 (en) Method and system for performing a secure key relay of an encryption key
WO2023188855A1 (en) Cryptographic key sharing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant