CN108347404A

CN108347404A - A kind of identity identifying method and device

Info

Publication number: CN108347404A
Application number: CN201710052613.3A
Authority: CN
Inventors: 阎军智
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Co Ltd
Priority date: 2017-01-24
Filing date: 2017-01-24
Publication date: 2018-07-31
Anticipated expiration: 2037-01-24
Also published as: CN108347404B

Abstract

A kind of identity identifying method of present invention offer and device, are related to technical field of network security, to improve authentication efficiency.This method includes：Generate certification request, the certification request include identity information, for current authentication the first quantum key mark, utilize first quantum key the first encrypted cipher text encrypted to the identity information；The certification request is sent to the second equipment to be authenticated according to the certification request by the certificate server so that the certification request is sent to certificate server by second equipment；The authentication response that second equipment is sent is received, includes the message identifying of the certificate server in the authentication response.Present invention is mainly used in identity identifying technology.

Description

A kind of identity identifying method and device

Technical field

The present invention relates to technical field of network security more particularly to a kind of identity identifying methods and device.

Background technology

Authentication refers to the process of confirming user identity, is first of critical point of network safety prevention.In equipment identities Field of authentication mainly has two kinds of authentication modes of wildcard and public key certificate at present.Wherein wildcard requires certification double The in advance preset identical root key in side, is recognized based on root key using a series of crypto-operation in verification process Card.Public key certificate mode requires the side of being certified to possess a digital certificate, while itself needing built-in private key corresponding with certificate.

Wherein, wildcard is to use more one of authentication mode at present, and which requires the preset phase of both sides Same root key needs to carry out multiple crypto-operation, and certification both sides to root key in verification process to protect root key It needs repeatedly to be interacted, needs to occupy certain computing resource and Internet resources.

Digital certificate authentication requirement is certified direction certificate agency application one and opens digital certificate, while itself storage and certificate Corresponding private key needs to use public key algorithm in certification.Since efficiency is low compared with symmetric cryptographic algorithm for public key algorithm, need More computing resource, it is more demanding to terminal capability.In addition, the raising with computer computation ability and quantum computer Development, the public key algorithm of the mainstreams such as RSA are gradually broken through, cannot meet safety requirements.

With the fast development of Technique on Quantum Communication, Quantum Secure Communication can be with using quantum-mechanical basic principle Ensure that key is perfectly safe, that is, any measurement to quantized system can all generate interference, so if there is attacker to attempt pair System is measured to obtain key information, and communicating pair will know.Quantum Secure Communication can be with by quantum network Realize that the secure distribution of key, these keys are known as quantum key.Should include quantum key R-T unit in usual quantum network And quantum channel, quantum key R-T unit are used for the transmission of quantum key, quantum for generating and distributing key, quantum channel Existing Encryption Algorithm can be used to realize the safe transmission of information in classical communication network for key.It can be with due to the use of quantum network A large amount of quantum keys are generated, therefore, realize that authentication and data are encrypted to as new research hotspot using these keys.

Invention content

In view of this, a kind of identity identifying method of present invention offer and device, to improve authentication efficiency.

In order to solve the above technical problems, the present invention provides a kind of identity identifying method, it is applied to the first equipment, including：

Certification request is generated, includes identity information, for the first quantum of current authentication in the certification request The mark of key utilizes first quantum key the first encrypted cipher text encrypted to the identity information；

The certification request is sent to the second equipment, is taken so that the certification request is sent to certification by second equipment Business device, is authenticated by the certificate server according to the certification request；

The authentication response that second equipment is sent is received, includes recognizing for the certificate server in the authentication response Demonstrate,prove message.

Wherein, in first encrypted cipher text further include the first information to be certified；

The message identifying of the certificate server includes the first message identifying for first equipment, and described first recognizes Card message includes mark of the certificate server for the second quantum key of current authentication, utilizes second amount Sub-key is to authentication result and the second encrypted second encrypted cipher text of information to be certified；The authentication result is recognized described in including Demonstrate,prove authentication result of the server to the authentication result of first equipment and the certificate server to second equipment；Institute The method of stating further includes：

Second equipment, the certificate server are authenticated respectively according to the authentication response.

Wherein, described that second equipment, the certificate server are authenticated respectively according to the authentication response, packet It includes：

According to the corresponding third quantum key of the identifier lookup of second quantum key；

If finding the third quantum key, the status indicator of the third quantum key is read；

If the status indicator of the third quantum key indicates that the third quantum key is not used by, described the is utilized Three quantum keys decrypt second encrypted cipher text, obtain second information to be certified and the authentication result；

Described second information to be certified and first information to be certified are compared；

If second information to be certified is consistent with the described first information to be certified, by the certificate server Certification；

If the authentication result indicates that the certificate server passes through the certification of second equipment, by described The certification of second equipment.

Wherein, in first encrypted cipher text further include the first information to be certified；Further include in the certification request：First Big integer and the second largest integer；The first verification number is according to the described first big integer, the second largest integer, the third-largest whole What number was calculated；

Second information to be certified includes：Any random number, second equipment is according to the described first big integer, described The second verification number that the second largest integer and the fourth-largest integer generate；

It is described to be compared the described second information to be certified and first information to be certified, including：

By any random number in any random number and first information to be certified in the described second information to be certified It is compared.

Wherein, the method further includes：

It calculates and shares quantum key, the shared quantum key is for the communication between second equipment；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

Wherein, K indicates to share quantum key, and g indicates that the first big integer, n indicate that the second largest integer, x indicate the third-largest whole Number, y indicate that the fourth-largest integer, X indicate that the first verification number, Y indicate the second verification number.

Wherein, the message identifying of the certificate server includes certification knot of the certificate server to first equipment Fruit；First information to be certified is any random number.

Wherein, the method further includes：

The quantum key set shared with the certificate server is obtained from quantum key distribution equipment；

It is the key setting key identification in the quantum key set according to predetermined way；

Store the quantum key set, the key identification, the first equipment mark and the certificate server mark Know.

Wherein, the method further includes：

Update the quantum key set.

Second aspect, the present invention provide a kind of identity identifying method, are applied to the second equipment, including：

The first certification request for receiving the first equipment includes the identity of first equipment in first certification request Information, first equipment are used for the mark of the first quantum key of current authentication, utilize first quantum key pair Encrypted first encrypted cipher text of identity information；

ID authentication request is sent to certificate server, includes that first certification is asked in the ID authentication request It asks, so that the certificate server is authenticated according to the ID authentication request；

The message identifying for receiving the certificate server is authenticated first equipment according to the message identifying；

According to the message identifying authentication response is sent to first equipment.

Wherein, after first certification request for receiving the first equipment, the method further includes：

The second certification request is generated, includes the identity information, described of second equipment in second certification request Second equipment believes the identity for the mark of the second quantum key of current authentication, using second quantum key Breath and the second encrypted second encrypted cipher text of information to be certified；

Further include second certification request in the ID authentication request.

Wherein, the message identifying of the certificate server includes the second message identifying for second equipment, described The mark that second message identifying includes the certificate server for the third quantum key of current authentication, using described Third quantum key is to authentication result and the encrypted third encrypted cipher text of third information to be certified；The authentication result includes Certification of the certificate server to the authentication result and the certificate server of first equipment to second equipment As a result；

The method further includes：The message identifying for receiving the certificate server is recognized according to the message identifying described Card server is authenticated.

Wherein, described that the certificate server is authenticated according to the message identifying, including：

According to corresponding 4th quantum key of the identifier lookup of the third quantum key；

If finding the 4th quantum key, the status indicator of the 4th quantum key is read；

If the status indicator of the 4th quantum key indicates that the 4th quantum key is not used by, described the is utilized Four quantum keys decrypt the third encrypted cipher text, obtain third information to be certified and the authentication result；

Third information to be certified and second information to be certified are compared；

If the third information to be certified is consistent with the described second information to be certified, by the certificate server Certification；

It is described that first equipment is authenticated according to the message identifying, including：

If the authentication result indicates that the certificate server passes through the certification of first equipment, by described The certification of first equipment.

Wherein, in first encrypted cipher text further include the first information to be certified；First information to be certified is any Random number and the first verification number；Further include in first certification request：First big integer and the second largest integer；Described first tests Card number is obtained according to the described first big integer, the second largest integer, the third-largest integer calculations；

Second information to be certified includes：Any random number, according to the described first big integer, the second largest integer and The second verification number that the fourth-largest integer generates；

It is described to be compared third information to be certified and second information to be certified, including：

By any random number in any random number and second information to be certified in third information to be certified It is compared.

Wherein, the method further includes：

It calculates and shares quantum key, the shared quantum key is for the communication between first equipment；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

Wherein, the method further includes：

Store the quantum key set, the key identification, the second equipment mark and the certificate server mark Know.

Wherein, the method further includes：

Update the quantum key set.

The third aspect, the present invention provide a kind of identity identifying method, are applied to certificate server, including：

Receive the ID authentication request of the second equipment；Wherein, the ID authentication request includes the first of the first equipment recognizing Card request；Include the identity information of first equipment, first equipment for working as predecessor in first certification request The mark of first quantum key of part certification utilizes first quantum key the first encryption encrypted to the identity information Ciphertext；

It is authenticated according to the ID authentication request；

Message identifying is sent to second equipment.

Wherein, in first encrypted cipher text further include the first information to be certified；Further include in the ID authentication request Second certification request includes that the identity information of second equipment, second equipment are used in second certification request The mark of second quantum key of current authentication waits recognizing using second quantum key to the identity information and second Demonstrate,prove encrypted second encrypted cipher text of information.

Wherein, described to be authenticated according to the ID authentication request, including：

According to the corresponding third quantum key of the identifier lookup of first quantum key；

If the status indicator of the third quantum key indicates that the third quantum key is not used by, described the is utilized Three quantum keys decrypt first encrypted cipher text, obtain the identity information of first equipment and first letter to be certified Breath；

The identity information for first equipment that the identity information and decryption for including by first certification request obtain It is compared；

If the identity information of the identity information that first certification request includes and first equipment that decryption obtains Unanimously, then pass through the certification to first equipment.

According to corresponding 4th quantum key of the identifier lookup of second quantum key；

If the status indicator of the 4th quantum key indicates that the 4th quantum key is not used by, described the is utilized Four quantum keys decrypt second encrypted cipher text, obtain the identity information of second equipment and second letter to be certified Breath；

The identity information for second equipment that the identity information and decryption for including by second certification request obtain It is compared；

If the identity information of the identity information that second certification request includes and second equipment that decryption obtains Unanimously, then pass through the certification to second equipment.

Wherein, the message identifying includes for the first message identifying of first equipment and for second equipment The second message identifying；

First message identifying includes the 5th quantum key that the certificate server is used for current authentication Mark, using the 5th quantum key to authentication result and the encrypted third encrypted cipher text of third information to be certified；

Second message identifying includes the 6th quantum key that the certificate server is used for current authentication Mark, using the 6th quantum key to authentication result and the 4th encrypted 4th encrypted cipher text of information to be certified；

The authentication result includes authentication result and the certification of the certificate server to first equipment Authentication result of the server to second equipment.

Wherein, the described first information to be certified includes any random number and the first verification number；It is also wrapped in the certification request It includes：First big integer and the second largest integer；It is described first verification number be according to the described first big integer, the second largest integer, What the third-largest integer calculations obtained；

Wherein, third information to be certified includes the random number in the described first information to be certified, first verification Number；4th information to be certified includes the random number in the described second information to be certified, the second verification number.

Wherein, the method further includes：

Obtain the first quantum key collection with first equipment, the second collaborative share respectively from quantum key distribution equipment It closes and the second quantum key set；

It is the key setting in the first quantum key set and the second quantum key set according to predetermined way Key identification；

Store the first quantum key set, the key identification, the mark of the first equipment and the certificate server Mark；

Store the second quantum key set, the key identification, the mark of the second equipment and the certificate server Mark.

Wherein, the method further includes：

Update the quantum key set.

Fourth aspect, the present invention provide a kind of identification authentication system, including：

Generation module includes identity information, recognizes for current identity for generating certification request in the certification request Card the first quantum key mark, using first quantum key it is encrypted to the identity information first encryption it is close Text；

Sending module, for sending the certification request to the second equipment, so that second equipment asks the certification It asks and is sent to certificate server, be authenticated according to the certification request by the certificate server；

Receiving module, the authentication response sent for receiving second equipment include described in the authentication response The message identifying of certificate server.

Wherein, in first encrypted cipher text further include the first information to be certified；The message identifying of the certificate server Include the first message identifying for the first equipment, first message identifying includes the certificate server for working as predecessor The mark of second quantum key of part certification encrypts authentication result and the second information to be certified using second quantum key The second encrypted cipher text afterwards；The authentication result include the certificate server to the authentication result of first equipment and Authentication result of the certificate server to second equipment；

Described device further includes：Authentication module, for according to the authentication response respectively to second equipment, described recognize Card server is authenticated.

Wherein, the authentication module includes：

Submodule is searched, for the corresponding third quantum key of identifier lookup according to second quantum key；

If reading submodule reads the state of the third quantum key for finding the third quantum key Mark；

Submodule is decrypted, if the status indicator for the third quantum key indicates that the third quantum key is not made With then decrypting second encrypted cipher text using the third quantum key, obtain second information to be certified and described recognize Demonstrate,prove result；

Comparison sub-module, for the described second information to be certified and first information to be certified to be compared；

If first authentication sub module is led to consistent with the described first information to be certified for the described second information to be certified Cross the certification to the certificate server；

Second authentication sub module, if indicating that the certificate server recognizes second equipment for the authentication result Card passes through, then passes through the certification to second equipment.

The comparison sub-module is specifically used for, and any random number and described first in the described second information to be certified is waited for Any random number in authentication information is compared.

Wherein, described device further includes：

Cipher key calculation module, for calculating shared quantum key, the shared quantum key is used for and second equipment Between communication；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

Wherein, the message identifying of the certificate server includes the authentication result of the first equipment of the certificate server pair； First information to be certified is any random number.

Wherein, described device further includes：

Key Acquisition Module, for obtaining the quantum key shared with the certificate server from quantum key distribution equipment Set；

Setup module, for being that key identification is arranged in the key in the quantum key set according to predetermined way；

Memory module, for store the quantum key set, the key identification, the first equipment mark and described recognize Demonstrate,prove the mark of server.

Wherein, described device further includes：

Update module, for updating the quantum key set.

5th aspect, the present invention provide a kind of identification authentication system, including：

First receiving module, the first certification request for receiving the first equipment include in first certification request The identity information of first equipment, first equipment are used for the mark of the first quantum key of current authentication, utilize First quantum key, first encrypted cipher text encrypted to the identity information；

First sending module is wrapped for sending ID authentication request to certificate server in the ID authentication request First certification request is included, so that the certificate server is authenticated according to the ID authentication request；

Second receiving module, the message identifying for receiving the certificate server, according to the message identifying to described First equipment is authenticated；

Second sending module, for sending authentication response to first equipment according to the message identifying.

Wherein, described device further includes：

Generation module includes the identity of the second equipment in second certification request for generating the second certification request Information, second equipment are used for the mark of the second quantum key of current authentication, utilize second quantum key pair The identity information and the second encrypted second encrypted cipher text of information to be certified；

Further include second certification request in the ID authentication request.

Described device further includes：Authentication module, the message identifying for receiving the certificate server, according to the certification Message is authenticated the certificate server.

Wherein, the authentication module includes：

Submodule is searched, for corresponding 4th quantum key of identifier lookup according to the third quantum key；

If reading submodule reads the state of the 4th quantum key for finding the 4th quantum key Mark；

Submodule is decrypted, if the status indicator for the 4th quantum key indicates that the 4th quantum key is not made With then decrypting the third encrypted cipher text using the 4th quantum key, obtain third information to be certified and described recognize Demonstrate,prove result；

Comparison sub-module, for third information to be certified and the second information to be certified to be compared；

First authentication sub module is led to if consistent with the described second information to be certified for third information to be certified Cross the certification to the certificate server；

Second authentication sub module, if indicating that the certificate server recognizes first equipment for the authentication result Card passes through, then passes through the certification to first equipment.

Wherein, in first encrypted cipher text further include the first information to be certified；Further include in first encrypted cipher text First information to be certified；Further include in first certification request：First big integer and the second largest integer；The first verification number It is obtained according to the described first big integer, the second largest integer, the third-largest integer calculations；

The comparison sub-module is specifically used for, and any random number and described second in third information to be certified is waited for Any random number in authentication information is compared.

Wherein, described device further includes：

Cipher key calculation module, for calculating shared quantum key, the shared quantum key is used for and first equipment Between communication；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

Wherein, described device further includes：

Memory module, for store the quantum key set, the key identification, the second equipment mark and described recognize Demonstrate,prove the mark of server.

Wherein, described device further includes：

Update module, for updating the quantum key set.

6th aspect, the present invention provide a kind of identification authentication system, including：

Receiving module, the ID authentication request for receiving the second equipment；Wherein, the ID authentication request includes first First certification request of equipment；Include the identity information of first equipment, described first set in first certification request It is ready for use on the mark of the first quantum key of current authentication, the identity information is encrypted using first quantum key The first encrypted cipher text afterwards；

Authentication module, for being authenticated according to the ID authentication request；

Sending module, for sending message identifying to second equipment.

Wherein, the authentication module includes：

First searches submodule, for the corresponding third quantum key of identifier lookup according to first quantum key；

If first reading submodule reads the third quantum key for finding the third quantum key Status indicator；

First decryption submodule, if the status indicator for the third quantum key indicates the third quantum key not It is used, then decrypts first encrypted cipher text using the third quantum key, obtain the identity information of first equipment With the described first information to be certified；

Described in first comparison sub-module, identity information for including by first certification request and decryption obtain The identity information of first equipment is compared；

First authentication sub module, if the identity information and decryption that include for first certification request obtain it is described The identity information of first equipment is consistent, then passes through the certification to first equipment.

Wherein, the authentication module includes：

Second searches submodule, for corresponding 4th quantum key of identifier lookup according to second quantum key；

If second reading submodule reads the 4th quantum key for finding the 4th quantum key Status indicator；

Second decryption submodule, if the status indicator for the 4th quantum key indicates the 4th quantum key not It is used, then decrypts second encrypted cipher text using the 4th quantum key, obtain the identity information of second equipment With the described second information to be certified；

Described in second comparison sub-module, identity information for including by second certification request and decryption obtain The identity information of second equipment is compared；

Second authentication sub module, if the identity information and decryption that include for second certification request obtain it is described The identity information of second equipment is consistent, then passes through the certification to second equipment.

Wherein, described device further includes：

Key Acquisition Module, it is total with first equipment, the second equipment for being obtained respectively from quantum key distribution equipment The the first quantum key set and the second quantum key set enjoyed；

Setup module, for being the first quantum key set and the second quantum key set according to predetermined way In key be arranged key identification；

First memory module, for storing the first quantum key set, the mark of the key identification, the first equipment With the mark of the certificate server；

Second memory module, for storing the second quantum key set, the mark of the key identification, the second equipment With the mark of the certificate server.

Wherein, described device further includes：

Update module, for updating the quantum key set.

The above-mentioned technical proposal of the present invention has the beneficial effect that：

In embodiments of the present invention, the certification to equipment can be realized by once interaction, therefore is implemented using the present invention The scheme certification speed of example is fast, and authentication efficiency is high.

Description of the drawings

Fig. 1 is the flow chart of the safe and secret communication based on quantum key distribution mechanism；

Fig. 2 is the flow chart of the identity identifying method of the embodiment of the present invention one；

Fig. 3 is the flow chart of the identity identifying method of the embodiment of the present invention two；

Fig. 4 is the flow chart of the identity identifying method of the embodiment of the present invention three；

Fig. 5 is the flow chart of the identity identifying method of the embodiment of the present invention four；

Fig. 6 is the flow chart of the identity identifying method of the embodiment of the present invention five；

Fig. 7 is the flow chart of the identity identifying method of the embodiment of the present invention six；

Fig. 8 is the schematic diagram of the identification authentication system of the embodiment of the present invention seven；

Fig. 9 is the structure chart of the identification authentication system of the embodiment of the present invention seven；

Figure 10 is the schematic diagram of the identification authentication system of the embodiment of the present invention eight；

Figure 11 is the structure chart of the identification authentication system of the embodiment of the present invention eight；

Figure 12 is the schematic diagram of the identification authentication system of the embodiment of the present invention nine；

Figure 13 is the structure chart of the identification authentication system of the embodiment of the present invention nine.

Specific implementation mode

Below in conjunction with drawings and examples, the specific implementation mode of the present invention is described in further detail.Following reality Example is applied for illustrating the present invention, but is not limited to the scope of the present invention.

In embodiments of the present invention, a simple introduction is done to the basic principle of quantum secret communication first.

The operation principle of practical secret communication is based primarily upon the Data Encryption Transmission of safe key distribution and safety.It is i.e. first The distribution for first needing the mechanism progress shared key between communicating pair using certain safety, then uses between communicating pair The shared key is to needing the data of safe transmission that operation is encrypted and decrypted respectively, to realize that the data of communicating pair are protected Close transmission.

Wherein, commercial standard (CS) algorithm SM4 and in the world some mainstream Encryption Algorithm such as AES etc. can be used in Encryption Algorithm, In conjunction with the key being distributed by certain security key distribution mechanisms, can in effective guarantee communication process data transmission peace Entirely.Since the mainstreams Encryption Algorithm such as SM4, AES has high security intensity, it is sufficient to resist existing all analyses and attacker Method, therefore find a kind of safe and efficient key distribution mechanism and just become and ensure that the most critical of secure communication is most crucial and ask Topic.

In practical application, most of key distribution mechanisms are all based on digital certificate system to realize.This kind of mechanism is very Safety in big degree dependent on public encryption systems such as RSA, elliptic curve, Diffie-Hellman key switching architectures. The mathematics that the underlying security of these public encryption systems is typically based on the generally acknowledged difficulty such as big integer factorization, discrete logarithm is asked Topic.But although not yet finding that the algorithm of any effective practicality can quickly solve these difficult mathematical problems at present, It absolutely can not rule out the possibility of the following highly effective algorithm for finding can effectively solve the problem that these difficult problems.In addition, along with soft The computational methods such as the rapid promotion of hardware computing capability and Distributed Calculation are continuously improved, and existing computing capability can be real The fast decoupled of existing 768 big integer.It is noted that big integer factorization problem has also been proved in quantum calculation It is unsafe under model.More practical and serious problem is that the key distribution mechanism based on public key encryption system is answered in reality If configuration improper use, also brings along serious safety problem in.

As cracked recently for being less than 1024 the quick of integer Diffie-Hellman agreements in OpenSSL agreements, with And the back doors pseudo random number algorithm Dual_EC of NIST publications utilize, and all expose present in practical public encryption system Some extremely serious security breaches.In the long run, the key distribution mechanism based on public key encryption system can not also provide effectively Provable security as a result, not having Unconditional security.

It along with the developing of Quantum Secure Communication, improves and practical, quantum key distribution provides other one The ideal cryptographic key distribution method of the safe and efficient practicality of kind.Can not the dividing again of quantum key distribution, immeasurability, it is not reproducible and The ideal significant technological merit such as at random, ensure that quantum key distribution system from the angle of bottom fundamental principles of quantum mechanics Unconditional security.As shown in Figure 1, the safe and secret communication based on quantum key distribution mechanism includes mainly two main steps Suddenly：

1,2 in step 101, corresponding diagram 1.Dedicated quantum network and corresponding transmitting-receiving quantum are used between communicating pair Equipment carries out the negotiation and distribution of quantum shared key, while the shared key is transferred to local encryption by communicating pair respectively In equipment, this step can ensure the Unconditional security of key distribution and transmission process.

3,4,5 in step 102, corresponding diagram 1.After communicating pair completes the secure distribution of quantum shared key, sender The data transmitted to needs using the Encryption Algorithm of shared key and safety are encrypted, and encrypt number using conventional network transfer According to recipient；Recipient reuses identical shared key and algorithm and the encryption data received is decrypted, to real The safe and secret communication of existing communicating pair.

Embodiment one

As shown in Fig. 2, the identity identifying method of the embodiment of the present invention one, is applied to the first equipment, including：

Step 201 generates certification request, includes identity information, for current authentication in the certification request The mark of first quantum key utilizes first quantum key the first encrypted cipher text encrypted to the identity information.

In embodiments of the present invention, the first equipment is from the quantum key set shared with certificate server, described in acquisition First quantum key, and obtain the first information to be certified.Then, to be certified using first quantum key encryption described first Information and identity information obtain first encrypted cipher text.Finally, the identity information, first quantum key are utilized Mark and first encrypted cipher text generate the certification request.

Wherein, the identity information can be described first device name etc., first information to be certified be it is any with Machine number.To be further ensured that safety, first quantum key are the quantum key having not been used.

Step 202 sends the certification request to the second equipment, so that second equipment sends the certification request To certificate server, it is authenticated according to the certification request by the certificate server.

Step 203 receives the authentication response that second equipment is sent, and includes the certification clothes in the authentication response The message identifying of business device.

As seen from the above, in embodiments of the present invention, two-way authentication can be realized by the primary interaction between equipment, Therefore fast using the scheme certification speed of the embodiment of the present invention, authentication efficiency is high.

Embodiment two

As shown in figure 3, the identity identifying method of the embodiment of the present invention two, is applied to the second equipment, including：

Step 301, the first certification request for receiving the first equipment include described first setting in first certification request The mark of first quantum key of the standby identity information, first equipment for current authentication utilizes first amount Sub-key the first encrypted cipher text encrypted to the identity information.

Wherein, first encrypted cipher text is that the first quantum key encryption described first described in first equipment utilization waits for What authentication information and identity information obtained.

Step 302 sends ID authentication request to certificate server, includes described first in the ID authentication request Certification request, so that the certificate server is authenticated according to the ID authentication request.

Step 303, the message identifying for receiving the certificate server, according to the message identifying to first equipment into Row certification.

Step 304 sends authentication response according to the message identifying to first equipment.

Embodiment three

As shown in figure 4, the identity identifying method of the embodiment of the present invention three, is applied to certificate server, including：

Step 401, the ID authentication request for receiving the second equipment；Wherein, the ID authentication request includes the first equipment The first certification request；Include identity information, first equipment use of first equipment in first certification request In the mark of the first quantum key of current authentication, encrypted to the identity information using first quantum key First encrypted cipher text.

Step 402 is authenticated according to the ID authentication request.

Step 403 sends message identifying to second equipment.

Example IV

As shown in figure 5, the identity identifying method of the embodiment of the present invention four, including：

Step 501, equipment initialization.

The purpose of equipment initialization is to make certification both sides generate quantum key, certification and key with authentication center respectively Negotiation phase carries out two-way authentication using the quantum key of storage, and generates shared key in certification both sides.

The entity being certified needs to generate several shared keys by quantum key distribution network and certificate server in advance, And store these shared keys, wherein needing to store the information such as key identification, key.Process is as follows：

(1) the entity device A being certified is connected to certificate server by quantum network, is being received and dispatched using quantum network Both ends generate the shared key set of a large amount of unconditional securities.Key is denoted as K, wherein including key K1, K2 ....

(2) key reception unit of cipher key storage block receives quantum key set K from quantum network in device A；Certification Server receives quantum key set K from quantum network.

(3) it is key definition key identification in a like fashion that device A and certificate server, which are adopted, and the mark of key Ki is denoted as IDKi。

(4) device A and certificate server store the information such as the identity of key, key identification, device A and certificate server. The identity of device A and certificate server is denoted as IDA and IDAuth respectively, then key storage mode is as follows：(IDKi, Ki, IDA, IDAuth).

Step 502, device A send certification request to equipment B.

Device A selects a key KA1 not used, and certification request M1 is sent to equipment B, wherein comprising device A Identity information IDA, key identification IDKA1 selected to use, and use the cipher-text information (EKA1 after KA1 encryptions IDA (IDA)。

Step 503, equipment B send certification request to certificate server.

The certification request of device A is transmitted to certificate server by equipment B.

Step 504, certificate server are authenticated device A.

In embodiments of the present invention, each key in shared key set can corresponding status indicator.If certain A key is still located in the set, and corresponding status indicator can be to be used or be not used by.Therefore, if here, searching To Kj, can determine whether to be previously used by reading its status indicator.

Certificate server searches KA1 according to IDKA1 in quantum key set, if KA1 has been deleted or labeled as having made With then " return " key" mistake；If KA1 is not used, ciphertext is decrypted using KA1, obtains IDA.If after decryption obtained IDA with The IDA of plaintext transmission is consistent in M1, then it is assumed that device A possesses key KA1 really, realizes the certification to device A.

Authentication result is returned to equipment B by step 505, certificate server.

Authentication result is returned to device A by step 506, equipment B.

According to certificate server to the authentication result of device A, the certification to device A may be implemented in equipment B.That is, if recognizing Card result indicates that certificate server has passed through the certification to device A, then equipment B passes through the certification of device A.If certification knot Fruit indicates certificate server not by the certification to device A, then equipment B does not pass through the certification of device A.

In addition, device A or certificate server can also update the quantum key set.For example, key KA1 is deleted, Or the status indicator of more new key KA1, it is marked as having used.Verification process terminates.

Embodiment five

As shown in fig. 6, the identity identifying method of the embodiment of the present invention five, including：

Step 601, equipment initialization.

This step can refer to the description of step 501.In embodiments of the present invention, the certification main body being related to includes device A, Equipment B and certificate server.Between equipment B and certificate server, also quantum can be obtained before according to device A and certificate server The mode of cipher key sets obtains the quantum key set between equipment B and certificate server.

Step 602, device A send certification request to equipment B.

Device A selects a key KA1 not used, randomly generates a random number N 1, and sending certification to equipment B asks Seek M1, wherein include identity information IDA, the key identification IDKA1 selected to use of device A, and using KA1 encryption IDA1 and Cipher-text information after random number N 1.Device A needs interim storage N1, until verification process terminates.

Step 603, equipment B generate certification request.

After equipment B receives the certification request of device A, from it store quantum key set in selection one do not use Key KB1, randomly generate a random number N 2, organize certification request M2, including the identity information IDB of equipment B, selection The key identification IDKB1 used, and use the cipher-text information after KB1 encryption IDB and random number N 2.Equipment B needs interim N2 is stored, until verification process terminates.

Step 604, equipment B send ID authentication request to certificate server.

Equipment B sends ID authentication request to certificate server, wherein including M1 and M2.

Step 605, certificate server are respectively authenticated device A, equipment B.

Detailed process is as follows：

(1) certificate server is respectively according to key identification IDKA1 and IDKB1, in the quantum key set of storage respectively Search corresponding key KA1 and KB1.If KA1 or KB1 have been deleted or labeled as having used, " return " key" mistake；If KA1 It is not used with KB1, then uses the ciphertext in KA1 and KB1 decryption M1 and M2 respectively.

(2) IDA after certificate server verification decryption and IDB whether with the IDA and IDB of plaintext transmission in M1 and M2 whether Unanimously.If inconsistent, authentification failure, return authentication failed message；If consistent, then it is assumed that device A and equipment B possess close respectively Key KA1 and KB1, identity are verified.Following authentication response message is organized later.

(3) certificate server select respectively one with the shared of device A and equipment B and the key KA2 not used and KB2, tissue message M3 and M4.Wherein M3 includes the mark IDKB2 of KB2, and uses KB2 encrypted random numbers N2 and authentication result The ciphertext of Result；Wherein M4 includes the mark IDKA2 of KA2, and uses KA2 encrypted random numbers N1 and authentication result Result Ciphertext.May include optionally the identity information of device A and equipment B, IDA, IDB in authentication result Result.

Wherein, which includes authentication result of the certificate server to device A and equipment B.

Step 606, certificate server send authentication response to equipment B.

Step 607, equipment B are authenticated device A and certificate server.

After equipment B receives the authentication response of certificate server, looked for from itself memory block according to key identification IDKB2 in M3 To KB2, if KB2 has been deleted or labeled as having used, " return " key" mistake；Otherwise, the ciphertext in M3 is decrypted using KB2. Verify that whether the N2 obtained after decryption caches with oneself, whether the N2 in certification request M2 is consistent.If consistent, illustrate certification Server possesses KB1 and KB2, realizes the authentication to certificate server；Otherwise authentification failure.

Equipment B learns authentication result of the certificate server to device A according to Result.

In addition, equipment B can also update the quantum key set, such as key KB1 and KB2 can be deleted, or are labeled as It has used.

Step 608, equipment B send authentication response to device A.

M4 is sent to device A by equipment B.

Step 609, device A are authenticated equipment B and certificate server.

After device A receives the authentication response of equipment B, found from itself memory block according to key identification IDKA2 in M4 KA2, if KA2 has been deleted or labeled as having used, " return " key" mistake；Otherwise, the ciphertext in M4 is decrypted using KA2.It tests Demonstrate,prove that whether the N1 obtained after decryption caches with oneself, whether the N1 in certification request M1 is consistent.If consistent, illustrate that certification takes Business device possesses KA1 and KA2, realizes the authentication to certificate server；Otherwise authentification failure.Device A is obtained according to Result Know authentication result of the certificate server to device A and equipment B.

In addition, device A can also update the quantum key set, for example, KA1 and KA2 is deleted, or labeled as having made With.Verification process terminates.

Embodiment six

In embodiment five, it is forwarded to certificate server by the way that message will be authenticated, equipment may be implemented by certificate server It is bipartite to be mutually authenticated, in fact, based on the authentication method, Diffie-Hellman (DH) agreement is merged, it can be with Realize the key agreement of authenticating device both sides.Diffie-Hellman agreements are a kind of key agreement protocols, allow two entities The arranging key in unsafe medium.

As shown in fig. 7, the identity identifying method of the embodiment of the present invention six, including：

Step 701, equipment initialization.

Step 702, device A send certification request to equipment B.

Device A selects a key KA1 not used, randomly generates a random number N 1, select two big Integer n with G randomly chooses integer x one big, calculates X=g^xmod n.Device A sends certification request M1 to equipment B, wherein including equipment Identity information IDA, the key identification IDKA1 selected to use of A, using close after KA1 encryptions IDA1, random number N 1 and X Literary information and the Integer n and g of device A selection.Device A needs interim storage x and N1, until verification process terminates.

Step 703, equipment B generate certification request.

After equipment B receives the certification request of device A, select a key KB1 not used, randomly generate one with Machine number N2 selects random number y one big, calculates Y=g^yMod n organize the certification request M2 of oneself, including equipment B's Identity information IDB, key identification IDKB1 selected to use, and using close after KB1 encryptions IDB, random number N 2 and Y Literary information.Equipment B needs interim storage y and N2, until verification process terminates.

Step 704, equipment B send ID authentication request to certificate server.

Step 705, certificate server are respectively authenticated device A, equipment B.

Detailed process is as follows：

(1) corresponding key KA1 and KB1 is found according to key identification IDKA1 and IDKB1 respectively, if KA1 or KB1 by It is deleted or marked as having used, then " return " key" mistake；If KA1 and KB1 were not used, KA1 and KB1 is used to decrypt M1 respectively With the ciphertext in M2.

(3) certificate server select respectively one with the shared of device A and equipment B and the key KA2 not used and KB2, tissue message M3 and M4.Wherein M3 includes the mark IDKB2 of KB2, uses KB2 encrypted random numbers N2, authentication result The Result and X decrypted from M1；Wherein M4 includes the mark IDKA2 of KA2, uses KA2 encrypted random numbers N1, certification knot The fruit Result and Y decrypted from M2.It may include optionally the body of device A and equipment B in authentication result Result Part information, IDA, IDB.

Step 706, certificate server send authentication response to equipment B.

Step 707, equipment B are authenticated device A and certificate server.

Equipment B can also update quantum key set, such as key KB1 and KB2 are deleted, or labeled as having used.

Equipment B is used from the shared key between the X calculating decrypted in M3 and device A, K=X^y mod n。

Step 708, equipment B send authentication response to device A.

M4 is sent to device A by equipment B.

Step 709, device A are authenticated equipment B and certificate server.

Device A finds KA2 according to key identification IDKA2 in M4 from itself memory block, if KA2 has been deleted or labeled as It uses, then " return " key" mistake；Otherwise, the ciphertext in M4 is decrypted using KA2.

Device A verifies that whether the N1 obtained after decryption caches with oneself, whether the N1 in certification request M1 is consistent.If one It causes, then illustrates that certificate server possesses KA1 and KA2, realize the authentication to certificate server；Otherwise authentification failure.

Device A learns authentication result of the certificate server to device A and equipment B according to Result.

Device A is used from the shared key between the Y calculating decrypted in M and equipment B, K=Y^x mod n。

In addition, device A can also update the quantum key set, for example, KA1 and KA2 is deleted, or labeled as having made With.

By the above process, the shared key between device A and equipment B is：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^x mod n。

As seen from the above, the embodiment of the present invention has the following advantages：

(1) safety：

(1) tripartite's certification：

Between device A and certificate server：Due to being identified as IDKA1 and IDKA2 keys only by device A and certificate server It is shared, so if device A correctly encrypts IDA using KA1, it is achieved that the certification to device A.Similarly, certificate server makes N1 is correctly encrypted with KA2, just illustrates that certificate server possesses IDKA1 and IDKA2 really, that is, realizes device A to authentication service The certification of device.

Between equipment B and certificate server：Due to being identified as IDKB1 and IDKB2 keys only by equipment B and certificate server It is shared, so if equipment B correctly encrypts IDB using KB1, it is achieved that the certification to equipment B.Similarly, certificate server makes N2 is correctly encrypted with KB2, just illustrates that certificate server possesses IDKB1 and IDKB2 really, that is, realizes equipment B to authentication service The certification of device.

Between device A and equipment B：Device A realizes the certification to certificate server, certificate server respectively with equipment B The authentication result Result encryptions of device A and equipment B are sent to both sides, realization device A is mutually authenticated with equipment B's.

(2) it prevents from resetting：Quantum key only allows, using once, to be just deleted or marked as having used later in this motion It crosses, one-time pad may be implemented.If attacker has intercepted authentication data, since the key in the authentication data has been made by both sides With, therefore when resetting the authentication data, communicating pair detects to reset message, is omitted.

(3) it prevents from eavesdropping：Quantum key is only shared by communicating pair, and is used only once, therefore even if attacker intercepts and captures Communication data can not also be decrypted.In addition, existing symmetric cryptographic algorithm, such as AES may be used in the Encryption Algorithm in scheme Deng quantum calculation can crack symmetric cryptographic algorithm, but cannot crack symmetric cryptographic algorithm.

(2) feasibility：

(1) application feasibility：Since each key is used only once, if re-starting initialization using complete needs.Thing Can be the memory space of 20 byte of each encryption key distribution if using the quantum key of 128bits in reality, in this way, 1MB Memory space can store about 500,000 keys, and enough ordinary users use, and can also be extended by increase memory space close The usage time of key.

(2) technology realizes feasibility：Quantum key R-T unit is commercial at present, can be used quantum network and quantum close Key R-T unit realizes that the encryption key distribution between equipment and certificate server, rapid deployment use.

Embodiment seven

As shown in figure 8, the identification authentication system of the embodiment of the present invention seven, including：

Generation module 801 includes identity information, for working as predecessor in the certification request for generating certification request The mark of first quantum key of part certification utilizes first quantum key the first encryption encrypted to the identity information Ciphertext；Sending module 802, for sending the certification request to the second equipment, so that second equipment asks the certification It asks and is sent to certificate server, be authenticated according to the certification request by the certificate server；Receiving module 803, is used for The authentication response that second equipment is sent is received, includes the message identifying of the certificate server in the authentication response.

As shown in figure 9, described device further includes：Authentication module 804, for according to the authentication response respectively to described the Two equipment, the certificate server are authenticated.

Wherein, the authentication module 804 includes：Submodule is searched, for being looked into according to the mark of second quantum key Look for corresponding third quantum key；If reading submodule reads the third amount for finding the third quantum key The status indicator of sub-key；Submodule is decrypted, if the status indicator for the third quantum key indicates the third quantum Key is not used by, then decrypts second encrypted cipher text using the third quantum key, obtains second letter to be certified Breath and the authentication result；Comparison sub-module, for carrying out the described second information to be certified and first information to be certified Compare；First authentication sub module, if consistent with the described first information to be certified for the described second information to be certified, by right The certification of the certificate server；Second authentication sub module, if indicating the certificate server to institute for the authentication result The certification for stating the second equipment passes through, then passes through the certification to second equipment.

Again as shown in figure 9, described device further includes：

Cipher key calculation module 805, for calculating shared quantum key, the shared quantum key with described second for setting Communication between standby；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

In one embodiment, the message identifying of the certificate server includes the first equipment of the certificate server pair Authentication result；First information to be certified is any random number.

Again as shown in figure 9, described device further includes：

Key Acquisition Module 806, for obtaining the quantum shared with the certificate server from quantum key distribution equipment Cipher key sets；Setup module 807, for being that key identification is arranged in the key in the quantum key set according to predetermined way； Memory module 808, for storing the quantum key set, the key identification, the mark of the first equipment and certification clothes The mark of business device.

Further, described device further includes：Update module 809, for updating the quantum key set.

The operation principle of device of the present invention can refer to the description of preceding method embodiment.

Embodiment eight

As shown in Figure 10, the identification authentication system of the embodiment of the present invention eight, including：

First receiving module 901, the first certification request for receiving the first equipment, is wrapped in first certification request Include the identifying of the first quantum key for current authentication of the identity information of first equipment, first equipment, profit With first quantum key the first encrypted cipher text encrypted to the identity information；First sending module 902, for recognizing It demonstrate,proves server and sends ID authentication request, include first certification request in the ID authentication request, so that described recognize Card server is authenticated according to the ID authentication request；Second receiving module 903, for receiving the certificate server Message identifying is authenticated first equipment according to the message identifying；Second sending module 904, for according to Message identifying sends authentication response to first equipment.

As shown in figure 11, described device further includes：

Generation module 905 includes the body of the second equipment in second certification request for generating the second certification request Part information, second equipment are used for the mark of the second quantum key of current authentication, utilize second quantum key To the identity information and the second encrypted second encrypted cipher text of information to be certified；Further include in the ID authentication request Second certification request.

As shown in figure 11, described device further includes：Authentication module 906, the certification report for receiving the certificate server Text is authenticated the certificate server according to the message identifying.

Wherein, the authentication module 906 includes：

Submodule is searched, for corresponding 4th quantum key of identifier lookup according to the third quantum key；It reads If submodule reads the status indicator of the 4th quantum key for finding the 4th quantum key；Decrypt submodule Block utilizes described the if the status indicator for the 4th quantum key indicates that the 4th quantum key is not used by Four quantum keys decrypt the third encrypted cipher text, obtain third information to be certified and the authentication result；Compare submodule Block, for third information to be certified and the second information to be certified to be compared；First authentication sub module, if for described Third information to be certified is consistent with the described second information to be certified, then passes through the certification to the certificate server；Second certification Submodule, if indicating that the certificate server passes through the certification of first equipment for the authentication result, by right The certification of first equipment.

Wherein, the described first information to be certified is any random number and the first verification number；In first certification request also Including：First big integer and the second largest integer；The first verification number is according to the described first big integer, described second largest whole What several, the third-largest integer calculations obtained；

As shown in figure 11, described device further includes：

Cipher key calculation module 907, for calculating shared quantum key, the shared quantum key with described first for setting Communication between standby；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

As shown in figure 11, described device further includes：

Key Acquisition Module 908, for obtaining the quantum shared with the certificate server from quantum key distribution equipment Cipher key sets；Setup module 909, for being that key identification is arranged in the key in the quantum key set according to predetermined way； Memory module 910, for storing the quantum key set, the key identification, the mark of the second equipment and certification clothes The mark of business device.

As shown in figure 11, described device further includes：Update module 912, for updating the quantum key set.

Embodiment nine

As shown in figure 12, the identification authentication system of the embodiment of the present invention nine, including：

Receiving module 1201, the ID authentication request for receiving the second equipment；Wherein, the ID authentication request includes First certification request of the first equipment；First certification request include first equipment identity information, described One equipment is for the mark of the first quantum key of current authentication, using first quantum key to the identity information Encrypted first encrypted cipher text；Authentication module 1202, for being authenticated according to the ID authentication request；Sending module 1203, for sending message identifying to second equipment.

Wherein, the authentication module 1202 includes：

First searches submodule, for the corresponding third quantum key of identifier lookup according to first quantum key； If first reading submodule reads the status indicator of the third quantum key for finding the third quantum key； First decryption submodule, if the status indicator for the third quantum key indicates that the third quantum key is not used by, First encrypted cipher text then is decrypted using the third quantum key, obtains the identity information and described the of first equipment One information to be certified；First comparison sub-module, identity information and decryption for including by first certification request obtain The identity information of first equipment be compared；First authentication sub module, if including for first certification request Identity information with decryption obtain the identity information of the first equipment it is consistent, then pass through the certification to first equipment.

Alternatively, the authentication module 1202 includes：

Second searches submodule, for corresponding 4th quantum key of identifier lookup according to second quantum key； If second reading submodule reads the status indicator of the 4th quantum key for finding the 4th quantum key； Second decryption submodule, if the status indicator for the 4th quantum key indicates that the 4th quantum key is not used by, Second encrypted cipher text then is decrypted using the 4th quantum key, obtains the identity information and described the of second equipment Two information to be certified；Second comparison sub-module, identity information and decryption for including by second certification request obtain The identity information of second equipment be compared；Second authentication sub module, if including for second certification request Identity information with decryption obtain the identity information of the second equipment it is consistent, then pass through the certification to second equipment.

The wherein described message identifying includes for the first message identifying of first equipment and for second equipment The second message identifying；

As shown in figure 13, described device further includes：

Key Acquisition Module 1204 is set for being obtained respectively from quantum key distribution equipment with first equipment, second Standby shared the first quantum key set and the second quantum key set；Setup module 1205, for being institute according to predetermined way State the key setting key identification in the first quantum key set and the second quantum key set；First memory module 1206, for storing the first quantum key set, the key identification, the mark of the first equipment and the certificate server Mark；Second memory module 1207, for storing the second quantum key set, the key identification, the second equipment The mark of mark and the certificate server.

Further, as shown in figure 13, described device may also include：Update module 1208, it is close for updating the quantum Key set.

In several embodiments provided herein, it should be understood that disclosed method and apparatus, it can be by other Mode realize.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the unit, only For a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as multiple units or component can combine Or it is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed phase Coupling, direct-coupling or communication connection between mutually can be by some interfaces, the INDIRECT COUPLING or communication of device or unit Connection can be electrical, machinery or other forms.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also It is that the independent physics of each unit includes, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of hardware adds SFU software functional unit.

The above-mentioned integrated unit being realized in the form of SFU software functional unit can be stored in one and computer-readable deposit In storage media.Above-mentioned SFU software functional unit is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, server or the network equipment etc.) executes receiving/transmission method described in each embodiment of the present invention Part steps.And storage medium above-mentioned includes：USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access Memory, abbreviation RAM), magnetic disc or CD etc. are various to store The medium of program code.

The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, without departing from the principles of the present invention, it can also make several improvements and retouch, these improvements and modifications It should be regarded as protection scope of the present invention.

Claims

1. a kind of identity identifying method, which is characterized in that it is applied to the first equipment, including：

Certification request is generated, includes identity information, for the first quantum key of current authentication in the certification request Mark, utilize first quantum key the first encrypted cipher text encrypted to the identity information；

The certification request is sent to the second equipment, so that the certification request is sent to authentication service by second equipment Device is authenticated by the certificate server according to the certification request；

The authentication response that second equipment is sent is received, includes the certification report of the certificate server in the authentication response Text.

2. according to the method described in claim 1, it is characterized in that,

Further include the first information to be certified in first encrypted cipher text；

The message identifying of the certificate server includes the first message identifying for first equipment, the first certification report Text includes mark of the certificate server for the second quantum key of current authentication, close using second quantum Key is to authentication result and the second encrypted second encrypted cipher text of information to be certified；The authentication result includes the certification clothes It is engaged in authentication result of the device to the authentication result of first equipment and the certificate server to second equipment；The side Method further includes：

3. according to the method described in claim 2, it is characterized in that, described set to described second respectively according to the authentication response Standby, the described certificate server is authenticated, including：

If the status indicator of the third quantum key indicates that the third quantum key is not used by, the third amount is utilized Sub-key decrypts second encrypted cipher text, obtains second information to be certified and the authentication result；

If second information to be certified is consistent with the described first information to be certified, by recognizing the certificate server Card；

If the authentication result indicates that the certificate server passes through the certification of second equipment, by described second The certification of equipment.

4. according to the method in claim 2 or 3, which is characterized in that first information to be certified includes any random number With the first verification number；Further include in the certification request：First big integer and the second largest integer；The first verification number is basis The first big integer, the second largest integer, the third-largest integer calculations obtain；

Second information to be certified includes：Any random number, second equipment is according to the described first big integer, described second The second verification number that big integer and the fourth-largest integer generate；

Any random number in any random number and first information to be certified in described second information to be certified is carried out Compare.

5. according to the method described in claim 4, it is characterized in that, the method further includes：

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

Wherein, K indicates to share quantum key, and g indicates that the first big integer, n indicate that the second largest integer, x indicate the third-largest integer, y Indicate that the fourth-largest integer, X indicate that the first verification number, Y indicate the second verification number.

6. according to the method described in claim 2, it is characterized in that, the message identifying of the certificate server includes the certification Authentication result of the server to first equipment；First information to be certified is any random number.

7. according to the method described in claim 1, it is characterized in that, the method further includes：

Store the quantum key set, the key identification, the first equipment mark and the certificate server mark.

8. the method according to the description of claim 7 is characterized in that the method further includes：

Update the quantum key set.

9. a kind of identity identifying method, which is characterized in that it is applied to the second equipment, including：

The first certification request for receiving the first equipment includes the identity letter of first equipment in first certification request Breath, first equipment are for the mark of the first quantum key of current authentication, using first quantum key to institute State encrypted first encrypted cipher text of identity information；

ID authentication request is sent to certificate server, includes first certification request in the ID authentication request, with The certificate server is set to be authenticated according to the ID authentication request；

10. according to the method described in claim 9, it is characterized in that, it is described receive the first equipment the first certification request it Afterwards, the method further includes：

Generate the second certification request, second certification request include second equipment identity information, described second Equipment for the mark of the second quantum key of current authentication, using second quantum key to the identity information and Second encrypted second encrypted cipher text of information to be certified；

Further include second certification request in the ID authentication request.

11. according to the method described in claim 10, it is characterized in that, the message identifying of the certificate server includes being directed to institute The second message identifying of the second equipment is stated, second message identifying includes that the certificate server is used for current authentication Third quantum key mark, utilize the third quantum key encrypted to authentication result and third information to be certified Three encrypted cipher texts；The authentication result includes the certificate server to the authentication result of first equipment and described recognizes Demonstrate,prove authentication result of the server to second equipment；

The method further includes：The message identifying for receiving the certificate server takes the certification according to the message identifying Business device is authenticated.

12. according to the method for claim 11, which is characterized in that it is described according to the message identifying to the authentication service Device is authenticated, including：

If the status indicator of the 4th quantum key indicates that the 4th quantum key is not used by, the 4th amount is utilized Sub-key decrypts the third encrypted cipher text, obtains third information to be certified and the authentication result；

If the third information to be certified is consistent with the described second information to be certified, by recognizing the certificate server Card；

If the authentication result indicates that the certificate server passes through the certification of first equipment, by described first The certification of equipment.

13. according to the method for claim 12, which is characterized in that further include first to be certified in first encrypted cipher text Information；First information to be certified includes any random number and the first verification number；Further include in first certification request：The One big integer and the second largest integer；The first verification number is according to the described first big integer, the second largest integer, the third-largest What integer calculations obtained；

Second information to be certified includes：Any random number, according to the described first big integer, the second largest integer and the 4th The second verification number that big integer generates；

Any random number in any random number and second information to be certified in third information to be certified is carried out Compare.

14. according to the method for claim 13, which is characterized in that the method further includes：

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

15. according to the method described in claim 9, it is characterized in that, the method further includes：

Store the quantum key set, the key identification, the second equipment mark and the certificate server mark.

16. according to the method for claim 15, which is characterized in that the method further includes：

Update the quantum key set.

17. a kind of identity identifying method, which is characterized in that it is applied to certificate server, including：

Receive the ID authentication request of the second equipment；Wherein, the ID authentication request includes that the first certification of the first equipment is asked It asks；Include that the identity information of first equipment, first equipment are recognized for current identity in first certification request Card the first quantum key mark, using first quantum key it is encrypted to the identity information first encryption it is close Text；

It is authenticated according to the ID authentication request；

Message identifying is sent to second equipment.

18. according to the method for claim 17, which is characterized in that further include first to be certified in first encrypted cipher text Information；

Further include the second certification request in the ID authentication request, includes second equipment in second certification request Identity information, second equipment for current authentication the second quantum key mark, utilize second quantum Identity information described in key pair and the second encrypted second encrypted cipher text of information to be certified.

19. according to the method for claim 18, which is characterized in that it is described to be authenticated according to the ID authentication request, Including：

If the status indicator of the third quantum key indicates that the third quantum key is not used by, the third amount is utilized Sub-key decrypts first encrypted cipher text, obtains the identity information of first equipment and first information to be certified；

The identity information for first equipment that the identity information and decryption for including by first certification request obtain carries out Compare；

If the identity information that first certification request includes is consistent with the identity information of the first equipment that decryption obtains, Then pass through the certification to first equipment.

20. according to the method for claim 19, which is characterized in that it is described to be authenticated according to the ID authentication request, Including：

If the status indicator of the 4th quantum key indicates that the 4th quantum key is not used by, the 4th amount is utilized Sub-key decrypts second encrypted cipher text, obtains the identity information of second equipment and second information to be certified；

The identity information for second equipment that the identity information and decryption for including by second certification request obtain carries out Compare；

If the identity information that second certification request includes is consistent with the identity information of the second equipment that decryption obtains, Then pass through the certification to second equipment.

21. according to the method described in claim 18 or 19 or 20, which is characterized in that the message identifying includes for described the First message identifying of one equipment and the second message identifying for second equipment；

First message identifying includes mark of the certificate server for the 5th quantum key of current authentication, Using the 5th quantum key to authentication result and the encrypted third encrypted cipher text of third information to be certified；

Second message identifying includes mark of the certificate server for the 6th quantum key of current authentication, Using the 6th quantum key to authentication result and the 4th encrypted 4th encrypted cipher text of information to be certified；

The authentication result includes authentication result and the authentication service of the certificate server to first equipment Authentication result of the device to second equipment.

22. according to the method for claim 21, which is characterized in that first information to be certified include any random number and First verification number；Further include in the certification request：First big integer and the second largest integer；The first verification number is according to institute The first big integer, the second largest integer, the third-largest integer calculations are stated to obtain；

Wherein, third information to be certified includes the random number in the described first information to be certified, the first verification number；Institute It includes the random number in the described second information to be certified to state the 4th information to be certified, the second verification number.

23. according to the method for claim 17, which is characterized in that the method further includes：

Obtained respectively from quantum key distribution equipment with first equipment, the first quantum key set of the second collaborative share and Second quantum key set；

It is the key setting key in the first quantum key set and the second quantum key set according to predetermined way Mark；

Store the first quantum key set, the key identification, the first equipment mark and the certificate server mark Know；

Store the second quantum key set, the key identification, the second equipment mark and the certificate server mark Know.

24. according to the method for claim 23, which is characterized in that the method further includes：

Update the quantum key set.

25. a kind of identification authentication system, which is characterized in that including：

Generation module includes identity information, for current authentication in the certification request for generating certification request The mark of first quantum key utilizes first quantum key the first encrypted cipher text encrypted to the identity information；

Sending module, for sending the certification request to the second equipment, so that second equipment sends out the certification request Certificate server is given, is authenticated according to the certification request by the certificate server；

Receiving module, the authentication response sent for receiving second equipment, includes the certification in the authentication response The message identifying of server.

26. device according to claim 25, which is characterized in that

The message identifying of the certificate server includes the first message identifying for the first equipment, in first message identifying Include mark of the certificate server for the second quantum key of current authentication, utilizes second quantum key pair Authentication result and the second encrypted second encrypted cipher text of information to be certified；The authentication result includes the certificate server The authentication result of authentication result and the certificate server to first equipment to second equipment；

Described device further includes：Authentication module, for being taken respectively to second equipment, the certification according to the authentication response Business device is authenticated.

27. device according to claim 26, which is characterized in that the authentication module includes：

If reading submodule reads the status indicator of the third quantum key for finding the third quantum key；

Submodule is decrypted, if the status indicator for the third quantum key indicates that the third quantum key is not used by, Second encrypted cipher text then is decrypted using the third quantum key, obtains second information to be certified and the certification knot Fruit；

First authentication sub module, if consistent with the described first information to be certified for the described second information to be certified, by right The certification of the certificate server；

Second authentication sub module, if indicating that the certificate server is logical to the certification of second equipment for the authentication result It crosses, then passes through the certification to second equipment.

28. device according to claim 27, which is characterized in that first information to be certified include any random number and First verification number；Further include in the certification request：First big integer and the second largest integer；The first verification number is according to institute The first big integer, the second largest integer, the third-largest integer calculations are stated to obtain；

The comparison sub-module is specifically used for, by any random number in the described second information to be certified and described first to be certified Any random number in information is compared.

29. device according to claim 28, which is characterized in that described device further includes：

Cipher key calculation module, for calculating shared quantum key, the shared quantum key is used between second equipment Communication；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

30. device according to claim 26, which is characterized in that the message identifying of the certificate server is recognized including described Demonstrate,prove the authentication result of the first equipment of server pair；First information to be certified is any random number.

31. device according to claim 25, which is characterized in that described device further includes：

Key Acquisition Module, for obtaining the quantum key collection shared with the certificate server from quantum key distribution equipment It closes；

Memory module, for storing the quantum key set, the key identification, the mark of the first equipment and certification clothes The mark of business device.

32. device according to claim 31, which is characterized in that described device further includes：

Update module, for updating the quantum key set.

33. a kind of identification authentication system, which is characterized in that including：

First receiving module, the first certification request for receiving the first equipment include described in first certification request The identity information of first equipment, first equipment for the mark of the first quantum key of current authentication, using described First quantum key the first encrypted cipher text encrypted to the identity information；

First sending module includes institute in the ID authentication request for sending ID authentication request to certificate server The first certification request is stated, so that the certificate server is authenticated according to the ID authentication request；

34. device according to claim 33, which is characterized in that described device further includes：

Generation module, for generate the second certification request, second certification request include the second equipment identity information, Second equipment is for the mark of the second quantum key of current authentication, using second quantum key to the body Part information and the second encrypted second encrypted cipher text of information to be certified；

Further include second certification request in the ID authentication request.

35. device according to claim 34, which is characterized in that the message identifying of the certificate server includes being directed to institute The second message identifying of the second equipment is stated, second message identifying includes that the certificate server is used for current authentication Third quantum key mark, utilize the third quantum key encrypted to authentication result and third information to be certified Three encrypted cipher texts；The authentication result includes the certificate server to the authentication result of first equipment and described recognizes Demonstrate,prove authentication result of the server to second equipment；

Described device further includes：Authentication module, the message identifying for receiving the certificate server, according to the message identifying The certificate server is authenticated.

36. device according to claim 35, which is characterized in that the authentication module includes：

If reading submodule reads the status indicator of the 4th quantum key for finding the 4th quantum key；

Submodule is decrypted, if the status indicator for the 4th quantum key indicates that the 4th quantum key is not used by, The third encrypted cipher text then is decrypted using the 4th quantum key, obtains third information to be certified and the certification knot Fruit；

First authentication sub module, if consistent with the described second information to be certified for third information to be certified, by right The certification of the certificate server；

Second authentication sub module, if indicating that the certificate server is logical to the certification of first equipment for the authentication result It crosses, then passes through the certification to first equipment.

37. device according to claim 36, which is characterized in that further include first to be certified in first encrypted cipher text Information；First information to be certified includes any random number and the first verification number；

Further include in first certification request：First big integer and the second largest integer；The first verification number is according to First big integer, the second largest integer, the third-largest integer calculations obtain；

The comparison sub-module is specifically used for, by any random number in third information to be certified and described second to be certified Any random number in information is compared.

38. according to the device described in claim 37, which is characterized in that described device further includes：

Cipher key calculation module, for calculating shared quantum key, the shared quantum key is used between first equipment Communication；

The shared quantum key is calculated as follows：

K=X^y=Y^x=g^xyMod n, Y=g^yMod n, X=g^xmod n；

39. device according to claim 32, which is characterized in that described device further includes：

Memory module, for storing the quantum key set, the key identification, the mark of the second equipment and certification clothes The mark of business device.

40. device according to claim 39, which is characterized in that described device further includes：

Update module, for updating the quantum key set.

41. a kind of identification authentication system, which is characterized in that including：

Receiving module, the ID authentication request for receiving the second equipment；Wherein, the ID authentication request includes the first equipment The first certification request；Include identity information, first equipment use of first equipment in first certification request In the mark of the first quantum key of current authentication, encrypted to the identity information using first quantum key First encrypted cipher text；

Sending module, for sending message identifying to second equipment.

42. device according to claim 41, which is characterized in that

43. device according to claim 42, which is characterized in that the authentication module includes：

If first reading submodule reads the state of the third quantum key for finding the third quantum key Mark；

First decryption submodule, if the status indicator for the third quantum key indicates that the third quantum key is not made With then the utilization third quantum key decrypts first encrypted cipher text, obtains identity information and the institute of first equipment State the first information to be certified；

First comparison sub-module, the identity information and described the first of decryption acquisition for including by first certification request The identity information of equipment is compared；

First authentication sub module, if described the first of the identity information and decryption acquisition that include for first certification request The identity information of equipment is consistent, then passes through the certification to first equipment.

44. device according to claim 43, which is characterized in that the authentication module includes：

If second reading submodule reads the state of the 4th quantum key for finding the 4th quantum key Mark；

Second decryption submodule, if the status indicator for the 4th quantum key indicates that the 4th quantum key is not made With then utilization the 4th quantum key decrypts second encrypted cipher text, obtains identity information and the institute of second equipment State the second information to be certified；

Second comparison sub-module, the identity information and described the second of decryption acquisition for including by second certification request The identity information of equipment is compared；

Second authentication sub module, if described the second of the identity information and decryption acquisition that include for second certification request The identity information of equipment is consistent, then passes through the certification to second equipment.

45. according to the device described in claim 42 or 43 or 44, which is characterized in that the message identifying includes for described the First message identifying of one equipment and the second message identifying for second equipment；

46. device according to claim 45, which is characterized in that first information to be certified include any random number and First verification number；Further include in the certification request：First big integer and the second largest integer；The first verification number is according to institute The first big integer, the second largest integer, the third-largest integer calculations are stated to obtain；

47. device according to claim 41, which is characterized in that described device further includes：

Key Acquisition Module, for obtaining respectively from quantum key distribution equipment and first equipment, the second collaborative share First quantum key set and the second quantum key set；

Setup module, for being in the first quantum key set and the second quantum key set according to predetermined way Key identification is arranged in key；

First memory module, for storing the first quantum key set, the key identification, the mark of the first equipment and institute State the mark of certificate server；

Second memory module, for storing the second quantum key set, the key identification, the mark of the second equipment and institute State the mark of certificate server.

48. device according to claim 47, which is characterized in that described device further includes：

Update module, for updating the quantum key set.