CN114091055A - Quantum encryption information transmission system - Google Patents

Quantum encryption information transmission system Download PDF

Info

Publication number
CN114091055A
CN114091055A CN202111301976.9A CN202111301976A CN114091055A CN 114091055 A CN114091055 A CN 114091055A CN 202111301976 A CN202111301976 A CN 202111301976A CN 114091055 A CN114091055 A CN 114091055A
Authority
CN
China
Prior art keywords
server
communication server
base station
key
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111301976.9A
Other languages
Chinese (zh)
Inventor
顾鹏飞
赵西明
戴文浩
肖泽琼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tiantong Information Technology Co ltd
Original Assignee
Shenzhen Tiantong Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tiantong Information Technology Co ltd filed Critical Shenzhen Tiantong Information Technology Co ltd
Priority to CN202111301976.9A priority Critical patent/CN114091055A/en
Publication of CN114091055A publication Critical patent/CN114091055A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N10/00Quantum computing, i.e. information processing based on quantum-mechanical phenomena

Abstract

The invention relates to a quantum encrypted information transmission system, comprising: the first authentication module is used for the communication server to send request information and the identity authentication of the CA server; the second authentication module is used for the communication server to send the request information to authenticate the identity of the base station; the remote interaction module is used for generating a digital certificate application file of the CA server before the CA server is in a working state, importing a formal digital certificate stored in the database server into the CA server, and executing remote transmission of quantum encryption information; and the updating module is used for updating the symmetric key of the CA server and importing the test digital certificate stored in the communication server into the CA server before the CA server stops information transmission. The proposal improves the management flow of the terminal digital certificate and the symmetric key, makes up the security protection loophole of the CA server in the transmission process of the quantum encrypted information, and improves the security protection level of the CA server in-situ application and transmission.

Description

Quantum encryption information transmission system
Technical Field
The invention relates to the technical field of information security, in particular to a quantum encryption information transmission system.
Background
In the existing CA server field transmission process, a transmission person usually adopts portable equipment to carry out operation state inspection and software function maintenance on a terminal, however, no safety measure and protection mechanism exists in data interaction between the CA server and a field communication server at present, and transmission software is easy to be invaded, tampered, even copied and simulated to form a safety protection hole; secondly, the terminal cannot authenticate the legality of the field communication server, and the data in the terminal is easily damaged by the illegal communication server; in addition, the management flow of the digital certificate and the symmetric key of the on-site CA server is not complete enough, and the method has certain influence on the on-site deployment and the development of application work of the CA server.
Disclosure of Invention
The invention provides a quantum encryption information transmission system, which aims at the problems of security protection loopholes in the field transmission process of a CA server, incomplete management flow of field terminal digital certificates and symmetric keys and the like. By adopting the technical means of identity authentication, symmetric encryption, digital signature and the like based on the digital certificate, the method provides an encrypted information safe transmission scheme between the communication server and the CA server and between the communication server and the base station, and the processes of the CA server symmetric key recovery, digital certificate application and downloading, thereby improving the safety protection level of the CA server on-site application and transmission.
The purpose of the invention is realized by adopting the following technical scheme:
a quantum encryption information transmission system, the system comprising:
the first authentication module is used for the communication server to send request information to complete identity authentication with the CA server;
the second authentication module is used for the communication server to send request information to complete identity authentication with the base station;
the remote interaction module is used for generating a digital certificate application file of the CA server before the CA server is in a working state, importing a formal digital certificate stored in the communication server into the CA server, and executing remote transmission of quantum encryption information;
and the updating module is used for updating the symmetric key of the CA server and importing the test digital certificate stored in the communication server into the CA server before the CA server stops information transmission.
Preferably, the first authentication module includes:
the first random number generating unit is used for receiving the random number R generated by the CA server by the communication server, signing the random number R and then sending the signed random number R to the CA server;
and the first signature validity authentication unit is used for receiving the result of verifying the signature validity by the CA server according to the digital certificate of the communication server and establishing information transmission between the communication server and the CA server for the communication server passing the CA server identity authentication.
Preferably, the second authentication module includes:
a second random number generation unit for automatically generating a random number R by the communication server1The random number and the communication server digital certificate are sent to the base station; the base station obtains a random number R from a quantum random number generator2To { R1+R2Sign acquisition SmfWill { R2+Smf+ signing key identification IaskSending the data to a communication server;
a second signature validity authentication unit for verifying the validity of the base station signature by the communication server through the base station digital certificate, and if the verification is passed, the communication server verifies the base station random number R2Signing is carried out, and { signature result Sfm+ signing key identification IfSending the data to a base station;
the first digital certificate correctness authentication unit is used for verifying the correctness of the signature of the communication server by the base station through the digital certificate of the communication server, authenticating the identity of the communication server if the verification is passed, and returning authentication result information; after the bidirectional authentication is successful, the base station sends a reading communication serviceMessage of device ID, communication server returning ID number and initial vector IV for calculating message authentication code0
Preferably, the remote interaction module includes: the system comprises an application file generation unit, a formal certificate import unit and an interaction unit; the certificate importing unit is used for sending the formal digital certificate to the CA server in a plaintext form by the communication server, downloading the digital certificate to a security chip of the CA server by the CA server, and returning a certificate updating result to the communication server.
Further, the application file generating unit includes:
the acquisition subunit is used for sending a terminal serial number acquisition instruction to the CA server by the communication server; CA server responds and returns terminal sequence number Nt(ii) a The communication server sends a terminal security chip serial number acquisition instruction to a CA server; CA server reads serial number N from security chipsAnd returns to the communication server; the communication server sends a request for acquiring a public key of a terminal security chip to a CA server;
a reading subunit for the CA server to read the public key K from the security chiptAnd returns to the communication server;
a character string generation subunit for generating a string containing N by the communication servert、NsAnd KtA certificate request character string A of the information and sends A to the terminal;
a receipt subunit for the CA server to sign A to obtain a signature result SaAnd then S isaReturning to the communication server; communication server according to Nt、Ns、Kt、SaAnd the terminal uses the unit name to generate a certificate application file for the terminal.
Further, the interaction unit includes:
an encryption subunit, configured to, after the communication server and the base station successfully authenticate the identities, protect the transmission data message M sent by the encryption key pair by using field transmission datafmIs encrypted and provided with IV0Calculating message authentication code for MAC initial vector to obtain { cipher text Efm+MACfmAnd sending the data to a base station;
a decryption subunit, which is used for the base station to take the communication server ID as a dispersion factor, disperse the field transmission data protection decryption key in the quantum random number generator and carry out the decryption on the { Efm+MACfmCarrying out authentication, decoding and decryption operation on the verification message to obtain plaintext message data;
a key dispersion subunit, which is used for the base station to disperse the field transmission data protection encryption key in the quantum random number generator by taking the communication server ID as a dispersion factor and to transmit the transmission data message MmfCarrying out encryption; and with IV0Calculating message authentication code for initial vector of message authentication code to obtain { ciphertext Emf+MACmfSending the data to a communication server;
a plaintext message data acquisition subunit for protecting the decryption key pair { E ] by the communication server using field transmission datamf+MACmfAnd carrying out authentication, decoding and decryption operation on the verification message to obtain plaintext message data.
Preferably, the update module includes: the device comprises an updating unit and a test certificate importing unit;
the test certificate importing unit is used for the communication server to send the formal digital certificate to the CA server in a plaintext form, and the CA server downloads the digital certificate to the security chip of the CA server and returns a certificate updating result to the communication server.
Further, the update unit includes:
a first signature result obtaining subunit, configured to, after the CA server receives the terminal security chip serial number obtaining instruction, return a security chip serial number Ns(ii) a The communication server sends a key version number acquisition instruction to the CA server; the CA server reads the version number V of the symmetric key from the security chip1Obtaining a random number R3Returning to the communication server; communication server pair { Ns+V1+R3Sign acquisition signature result SrkAnd will { N }s+V1+R3+Srk+ signing keyIdentification IfSending the data to a base station;
a verification subunit, configured to verify the validity of the signature through the communication server digital certificate by the base station, and if the signature passes the verification, verify the signature according to the key version number V1Judging the version number of the symmetric key derived from the encryption authentication device;
a second signature result obtaining subunit, configured to enable the base station to obtain the terminal random number R3As an initial vector for calculating the message authentication code, the serial number N of the terminal security chipsAs a dispersion factor pair V1The master key of the version is dispersed to obtain a protection transmission key, and a symmetric key P of a specified version is dispersedly derivedk(ii) a And based on SM2 algorithm, P is paired by using private key of base stationkSigning to obtain a signature result SkIdentification of { signing Key Iask+Pk+SkSending the data to a CA server through the communication server;
a return subunit, configured to, after the CA server receives the key recovery packet, identify the { signing key identifier Iask+Pk+SkSending the key to the safety chip to update the symmetric key and returning the update result information to the communication server.
Compared with the closest prior art, the invention has the following beneficial effects:
the invention provides a quantum encryption information transmission system, which has the safety protection capability on the confidentiality and the integrity of the data transmitted by a CA server and can effectively prevent the transmitted data from being maliciously tampered, imitated or damaged by hackers.
The communication server sends request information to complete identity authentication with the CA server and the base station; before the CA server is in a working state, a digital certificate application file of the CA server is generated, a formal digital certificate stored in the communication server is imported into the CA server, and remote transmission of quantum encryption information is executed; and when the CA server stops information transmission, updating the symmetric key of the CA server, and importing the test digital certificate stored in the communication server into the CA server. The security management mechanism of the digital certificate and the symmetric key of the on-site CA server is perfected through the operation. The identity authentication capability of the CA server to the field communication server and the bidirectional identity authentication capability between the communication server and the base station are increased, and the safety level of the field information transmission of the terminal is improved.
Drawings
FIG. 1 is a block diagram of a quantum encrypted information transmission system provided by the present invention;
wherein, 101: first authentication module, 102: first authentication module, 103: remote interaction module, 104: and updating the module.
Detailed Description
The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.
The present invention provides a quantum encrypted information transmission system, as shown in fig. 1, including:
the first authentication module 101 is used for the communication server to send request information to complete identity authentication with the CA server;
the second authentication module 102 is configured to send request information to complete identity authentication with the base station by the communication server;
the remote interaction module 103 is used for generating a digital certificate application file of the CA server before the CA server is in a working state, importing a formal digital certificate stored in the communication server into the CA server, and executing remote transmission of quantum encryption information;
and the updating module 104 is configured to update the symmetric key of the CA server before the CA server stops information transmission, and introduce the test digital certificate stored in the communication server into the CA server.
Wherein:
the first authentication module includes:
the first random number generating unit is used for receiving the random number R generated by the CA server by the communication server, signing the random number R and then sending the signed random number R to the CA server;
and the first signature validity authentication unit is used for receiving the result of verifying the signature validity by the CA server according to the digital certificate of the communication server and establishing information transmission between the communication server and the CA server for the communication server passing the CA server identity authentication.
The second authentication module includes:
a second random number generation unit for automatically generating a random number R by the communication server1Sending the random number and the communication server digital certificate to a base station and sending the random number and the communication server digital certificate to the base station; the base station obtains a random number R from a quantum random number generator2To { R1+R2Sign acquisition SmfWill { R2+Smf+ signing key identification IaskSending the data to a communication server;
a second signature validity authentication unit for verifying the validity of the base station signature by the communication server through the base station digital certificate, and if the verification is passed, the communication server verifies the base station random number R2Signing is carried out, and { signature result Sfm+ signing key identification IfSending the data to a base station;
the first digital certificate correctness authentication unit is used for verifying the correctness of the signature of the communication server by the base station through the digital certificate of the communication server, authenticating the identity of the communication server if the verification is passed, and returning authentication result information; after the bidirectional authentication is successful, the base station sends a message for reading the ID of the communication server, and the communication server returns the ID number and an initial vector IV for calculating the message authentication code0
The remote interaction module comprises: the system comprises an application file generation unit, a formal certificate import unit and an interaction unit; the system comprises a communication server, a certificate importing unit, a CA server and a certificate updating unit, wherein the certificate importing unit is used for the communication server to send a digital certificate for official use to the CA server in a plaintext form, and the CA server downloads the digital certificate to a security chip of the CA server and returns a certificate updating result to the communication server;
the application file generation unit includes:
the acquisition subunit is used for sending a terminal serial number acquisition instruction to the CA server by the communication server; CA server responds and returns terminal sequence number Nt(ii) a The communication server sends a terminal security chip serial number acquisition instruction to a CA server; CA server reads serial number N from security chipsAnd returns to the communication server; the communication server sends a request for acquiring a public key of a terminal security chip to a CA server;
a reading subunit for the CA server to read the public key K from the security chiptAnd returns to the communication server;
a character string generation subunit for generating a string containing N by the communication servert、NsAnd KtA certificate request character string A of the information and sends A to the terminal;
a receipt subunit for the CA server to sign A to obtain a signature result SaAnd then S isaReturning to the communication server; communication server according to Nt、Ns、Kt、SaGenerating a certificate application file for the terminal by using the name of the unit;
the interaction unit includes:
an encryption subunit, configured to, after the communication server and the base station successfully authenticate the identities, protect the transmission data message M sent by the encryption key pair by using field transmission datafmIs encrypted and provided with IV0Calculating message authentication code for MAC initial vector to obtain { cipher text Efm+MACfmAnd sending the data to a base station;
a decryption subunit, which is used for the base station to take the communication server ID as a dispersion factor, disperse the field transmission data protection decryption key in the quantum random number generator and carry out the decryption on the { Efm+MACfmCarrying out authentication, decoding and decryption operation on the verification message to obtain plaintext message data;
a key dispersion subunit, which is used for the base station to disperse the field transmission data protection encryption key in the quantum random number generator by taking the communication server ID as a dispersion factor and to transmit the transmission data message MmfCarrying out encryption; and with IV0Calculating message authentication code for initial vector of message authentication code to obtain { ciphertext Emf+MACmfSending the data to a communication server;
a plaintext message data acquisition subunit for protecting the decryption key pair { E ] by the communication server using field transmission datamf+MACmfAnd carrying out authentication, decoding and decryption operation on the verification message to obtain plaintext message data.
The update module includes: the device comprises an updating unit and a test certificate importing unit;
the test certificate importing unit is used for sending the formal digital certificate to the CA server in a plaintext form by the communication server, downloading the digital certificate to a security chip of the CA server by the CA server, and returning a certificate updating result to the communication server;
the update unit includes:
a first signature result obtaining subunit, configured to, after the CA server receives the terminal security chip serial number obtaining instruction, return a security chip serial number Ns(ii) a The communication server sends a key version number acquisition instruction to the CA server; the CA server reads the version number V of the symmetric key from the security chip1Obtaining a random number R3Returning to the communication server; communication server pair { Ns+V1+R3Sign acquisition signature result SrkAnd will { N }s+V1+R3+Srk+ signing key identification IfSending the data to a base station;
a verification subunit, configured to verify the validity of the signature through the communication server digital certificate by the base station, and if the signature passes the verification, verify the signature according to the key version number V1Judging the version number of the symmetric key derived from the encryption authentication device;
a second signature result obtaining subunit, configured to enable the base station to obtain the terminal random number R3As an initial vector for calculating the message authentication code, the serial number N of the terminal security chipsAs a dispersion factor pair V1The master key of the version is dispersed to obtain a protection transmission key, and a symmetric key P of a specified version is dispersedly derivedk(ii) a And based on SM2 algorithm, P is paired by using private key of base stationkSigning to obtain a signature result SkIdentification of { signing Key Iask+Pk+SkSending the data to a CA server through the communication server;
a return subunit, configured to, after the CA server receives the key recovery packet, identify the { signing key identifier Iask+Pk+SkSending it to the safety chip to complete the updating of the symmetric key and returning it to the communication serverAnd updating the result information.
Example 1:
the scheme of the above embodiment provides the following authentication flows of the communication server and the CA server:
a. the communication server initiates an authentication request to the terminal, and sends the communication server ID and the digital certificate CFSending the data to a terminal;
b. the terminal sends the random number R to the communication server;
c. the communication server signs the random number R and sends a signature result to the terminal;
d. terminal CFAnd verifying the validity of the signature and returning the authentication result to the communication server. After the communication server passes the safety certification of the terminal, the two parties can transmit the field transmission message.
The bidirectional authentication process between the communication server and the base station is as follows:
a. after network connection is established between the communication server and the base station, such as TCP connection; the communication server initiates a bidirectional identity authentication request to the base station. The communication server fetches the random number R1Will { R1+CFSending the data to a base station;
b. base station gets random number R from quantum random number generator2To { R1+R2Get S after signingmfWill { R2+Smf+ signing key identification IaskSending the data to a communication server; i isask1,2,3, 4;
c. base station certificate for communication server (certificate identification must and I)askCorresponding; for example IaskWhen 1, the base station certificate C is used1) Verifying the signature validity of the base station, and verifying the identity of the base station by the communication server; then the communication server sends the random number R to the base station2Signature, will { signature result Sfm+ signing key identification IfSending the data to a base station; i isfAnd 1 can be taken.
d. Base station CFVerifying the correctness of the signature of the communication server, verifying the identity authentication of the communication server by the base station and returning authentication confirmation information;
e. after the bidirectional authentication is successful, the base station sends a message for reading the ID of the communication server, the communication server returns the ID number of the communication server and an initial vector IV for calculating a Message Authentication Code (MAC)0
II, before the CA server is in a working state, generating a digital certificate application file of the CA server, importing a formal digital certificate stored in the communication server into the CA server, and executing remote transmission of quantum encryption information;
1) the generation of the digital certificate application file of the CA server comprises the following steps:
a. the communication server sends a terminal serial number acquisition instruction to the CA server;
CA server returns terminal serial number Nt
c. The communication server sends a command for acquiring a serial number of a terminal security chip to a CA server;
CA server reads serial number N from security chipsAnd returns to the communication server;
e. the communication server sends an instruction for acquiring a public key of the terminal security chip to a CA server;
CA server reads public key K from security chiptAnd returns to the communication server;
g. communication server generating a message containing Nt、NsAnd KtA certificate request character string A of the information and sends A to the terminal;
CA server gets S for A signatureaAnd then S isaReturning to the communication server;
i. communication server utilizing Nt、Ns、Kt、SaAnd generating a PCKS #10 file for applying the terminal certificate according to the information of the electric power company of the city to which the terminal belongs.
The field transmission data remote safety interaction comprises the following steps:
a. after passing identity authentication between the communication server and the base station, protecting the encryption key K by using field transmission data1'5For the transmitted transmission data message MfmIs encrypted and provided with IV0Computing MAC for MAC initial vector to obtain { cipherText Efm+MACfmAnd sending the data to a base station;
b. base station protects decryption key K for field transmission data in quantum random number generator by using communication server ID as dispersion factor15Dispersing for 1 time to obtain K'15And pair of { Efm+MACfmPerforming MAC verification and decryption operation to obtain plaintext message data; base station protects encryption key K for field transmission data in quantum random number generator by using communication server ID as dispersion factor14Dispersing for 1 time to obtain K'14For the transmitted transmission data message MmfEncrypted and given IV0Calculating MAC for MAC initial vector to obtain { ciphertext Emf+MACmfSending the data to a communication server;
c. communication server transmits data protection decryption key K 'on site'14To { Emf+MACmfAnd carrying out MAC verification and decryption operation to obtain plaintext message data.
The field transmission data remote safety interaction comprises the following steps:
a. after the identity authentication is carried out between the communication server and the base station, the encryption key K 'is protected by field transmission data'15For the transmitted transmission data message MfmIs encrypted and provided with IV0Calculating MAC for MAC initial vector to obtain { ciphertext Efm+MACfmAnd sending the data to a base station;
b. base station protects decryption key K for field transmission data in quantum random number generator by using communication server ID as dispersion factor15Dispersing for 1 time to obtain K'15And pair of { Efm+MACfmPerforming MAC verification and decryption operation to obtain plaintext message data; base station protects encryption key K for field transmission data in quantum random number generator by using communication server ID as dispersion factor14Dispersing for 1 time to obtain K'14For the transmitted transmission data message MmfEncrypted and given IV0Calculating MAC for MAC initial vector to obtain { ciphertext Emf+MACmfSending the data to a communication server;
c.communication server transmits data protection decryption key K 'on site'14To { Emf+MACmfAnd carrying out MAC verification and decryption operation to obtain plaintext message data.
The importing of the formal or test digital certificate stored in the communication server to the CA server includes: the communication server sends the formal or test digital certificate to the CA server in a plaintext form, and the CA server downloads the digital certificate to a security chip of the CA server and returns a certificate updating result to the communication server; the formal or test digital certificate is in a form of { certificate identifier + certificate content }, and comprises a CA secondary application certificate, a base station certificate and a gateway certificate. Certificate content CnA field for representing a formal or test digital certificate is included, and a security chip of the CA server can recognize the formal or test digital certificate through the field.
Before the working state of the CA server, the communication server sends a formal CA secondary application certificate C0Base station certificate (C)1,C2,C3,C4) And a secure access gateway certificate C5Importing a CA server;
the built-in formal symmetric key of the security chip comprises: k'10,K′11,K′12,K13,K14(ii) a After the encryption authentication device at the side of the distribution base station is issued, 2 groups of symmetric keys with the same function as the terminal security chip are arranged in the encryption authentication device; wherein, the 0 th group of test keys are: k00,K01,K02,K03,K04(ii) a The 1 st group of formal keys are: k10,K11,K12,K13,K14
And III, before the CA server stops information transmission, updating the symmetric key of the CA server, and importing the test digital certificate stored in the communication server into the CA server.
CA secondary application certificate C 'for testing by communication server'0Base station certificate (C'1,C′2,C′3,C′4) And secure access gateway certificate C'5Importing a CA server; communication serviceThe device will { certificate identity n + certificate content CnN may take 0,1,2,3,4,5) to send in plaintext to the CA server; the CA server downloads the certificate content to the security chip.
Updating the symmetric key of the CA server includes:
a. the communication server sends a command for acquiring a serial number of a terminal security chip to a CA server;
CA server returns security chip serial number Ns
c. The communication server sends a key version number obtaining instruction to the terminal;
d. the terminal reads the version number V of the symmetric key from the security chip1(V1May take 1) and obtain the random number R3Returning to the communication server;
e. communication server pair { Ns+V1+R3Get S from signaturerkAnd will { N }s+V1+R3+Srk+ signing key identification IfSending the data to a base station;
f. base station CFVerifying the validity of the signature, and if the signature passes the verification, the base station passes the version number V of the secret key1Judging the version number V of the symmetric key to be derived from the encryption authentication device0(V0Take 0);
g. base station using terminal random number R3As an initial vector for calculating MAC, a terminal security chip serial number N is utilizedsAs a dispersion factor pair V1Master key K of a edition10Dispersing to obtain a protected transmission key K'10Disperse derivation V0Symmetric Key of plate to K'00,K′01,K′02,K03,K04(for K)00,K01,K02The number of dispersion times of (2) is 1; to K03,K04The number of scattering times of 0) and MAC; derived data packet PkComprises the following steps: { V0,K′00Cryptograph + MAC, K'01Ciphertext + MAC, …, K04Ciphertext + MAC, and utilize base station private key pair PkSigning to obtain SkIdentification of { signing Key Iask+Pk+SkSending the data to a communication server;
e. the communication server identifies the { signing key Iask+Pk+SkSending the data to a CA server; after the terminal receives the key recovery message, the { I } will beask+Pk+SkAnd sending the key to a security chip to complete key updating and returning an updating result to the communication server.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application and not for limiting the protection scope thereof, and although the present application is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: numerous variations, modifications, and equivalents will occur to those skilled in the art upon reading the present application and are within the scope of the claims appended hereto.

Claims (8)

1. A quantum encrypted information transmission system, the system comprising:
the first authentication module is used for the communication server to send request information and the identity authentication of the CA server;
the second authentication module is used for the communication server to send the request information to authenticate the identity of the base station;
the remote interaction module is used for generating a digital certificate application file of the CA server before the CA server is in a working state, importing a formal digital certificate stored in the database server into the CA server, and executing remote transmission of quantum encryption information;
and the updating module is used for updating the symmetric key of the CA server and importing the test digital certificate stored in the communication server into the CA server before the CA server stops information transmission.
2. The system of claim 1, wherein the first authentication module comprises:
the first random number generating unit is used for receiving the random number R generated by the CA server by the communication server, signing the random number R and then sending the signed random number R to the CA server;
and the first signature validity authentication unit is used for receiving the result of verifying the signature validity by the CA server according to the digital certificate of the communication server and establishing information transmission between the communication server and the CA server for the communication server passing the CA server identity authentication.
3. The system of claim 1, wherein the second authentication module comprises:
a second random number generation unit for automatically generating a random number R by the communication server1Sending the random number and the communication server digital certificate to the base station; the base station obtains a random number R from a quantum random number generator2To { R1+R2Sign acquisition SmfWill { R2+Smf+ signing key identification IaskSending the data to a communication server;
a second signature validity authentication unit for verifying the validity of the base station signature by the communication server through the base station digital certificate, and if the verification is passed, the communication server verifies the base station random number R2Signing is carried out, and { signature result Sfm+ signing key identification IfSending the data to a base station;
the first digital certificate correctness authentication unit is used for verifying the correctness of the signature of the communication server by the base station through the digital certificate of the communication server, authenticating the identity of the communication server if the verification is passed, and returning authentication result information; after the bidirectional authentication is successful, the base station sends a message for reading the ID of the communication server, and the communication server returns the ID number and an initial vector IV for calculating the message authentication code0
4. The apparatus of claim 1, wherein the remote interaction module comprises: the system comprises an application file generation unit, a formal certificate import unit and an interaction unit; the certificate importing unit is used for sending the formal digital certificate to the CA server in a plaintext form by the communication server, downloading the digital certificate to a security chip of the CA server by the CA server, and returning a certificate updating result to the communication server.
5. The system according to claim 4, wherein the application document generating unit includes:
the acquisition subunit is used for sending a terminal serial number acquisition instruction to the CA server by the communication server; CA server responds and returns terminal sequence number Nt(ii) a The communication server sends a terminal security chip serial number acquisition instruction to a CA server; CA server reads serial number N from security chipsAnd returns to the communication server; the communication server sends a request for acquiring a public key of a terminal security chip to a CA server;
a reading subunit for the CA server to read the public key K from the security chiptAnd returns to the communication server;
a character string generation subunit for generating a string containing N by the communication servert、NsAnd KtA certificate request character string A of the information and sends A to the terminal;
a receipt subunit for the CA server to sign A to obtain a signature result SaAnd then S isaReturning to the communication server; communication server according to Nt、Ns、Kt、SaAnd the terminal uses the unit name to generate a certificate application file for the terminal.
6. The system of claim 4, wherein the interaction unit comprises:
an encryption subunit, configured to, after the communication server and the base station successfully authenticate the identities, protect the transmission data message M sent by the encryption key pair by using field transmission datafmIs encrypted and provided with IV0Calculating message authentication code for MAC initial vector to obtain { cipher text Efm+MACfmAnd sending the data to a base station;
a decryption subunit, which is used for the base station to take the communication server ID as a dispersion factor, disperse the field transmission data protection decryption key in the quantum random number generator and carry out the decryption on the { Efm+MACfmCarry out verificationMessage authentication, decoding and decryption operation are carried out, and plaintext message data are obtained;
a key dispersion subunit, which is used for the base station to disperse the field transmission data protection encryption key in the quantum random number generator by taking the communication server ID as a dispersion factor and to transmit the transmission data message MmfCarrying out encryption; and with IV0Calculating message authentication code for initial vector of message authentication code to obtain { ciphertext Emf+MACmfSending the data to a communication server;
a plaintext message data acquisition subunit for protecting the decryption key pair { E ] by the communication server using field transmission datamf+MACmfAnd carrying out authentication, decoding and decryption operation on the verification message to obtain plaintext message data.
7. The system of claim 1, wherein the update module comprises: the device comprises an updating unit and a test certificate importing unit;
the test certificate importing unit is used for the communication server to send the formal digital certificate to the CA server in a plaintext form, and the CA server downloads the digital certificate to the security chip of the CA server and returns a certificate updating result to the communication server.
8. The system of claim 7, wherein the update unit comprises:
a first signature result obtaining subunit, configured to, after the CA server receives the terminal security chip serial number obtaining instruction, return a security chip serial number Ns(ii) a The communication server sends a key version number acquisition instruction to the CA server; the CA server reads the version number V of the symmetric key from the security chip1Obtaining a random number R3Returning to the communication server; communication server pair { Ns+V1+R3Sign acquisition signature result SrkAnd will { N }s+V1+R3+Srk+ signing key identification IfSending the data to a base station;
an authentication subunit for a base station to pass a communication serviceThe digital certificate verifies the validity of the signature, and if the signature passes the verification, the digital certificate verifies the validity of the signature according to the version number V of the secret key1Judging the version number of the symmetric key derived from the encryption authentication device;
a second signature result obtaining subunit, configured to enable the base station to obtain the terminal random number R3As an initial vector for calculating the message authentication code, the serial number N of the terminal security chipsAs a dispersion factor pair V1The master key of the version is dispersed to obtain a protection transmission key, and a symmetric key P of a specified version is dispersedly derivedk(ii) a And based on SM2 algorithm, P is paired by using private key of base stationkSigning to obtain a signature result SkIdentification of { signing Key Iask+Pk+SkSending the data to a CA server through the communication server;
a return subunit, configured to, after the CA server receives the key recovery packet, identify the { signing key identifier Iask+Pk+SkSending the key to the safety chip to update the symmetric key and returning the update result information to the communication server.
CN202111301976.9A 2021-11-04 2021-11-04 Quantum encryption information transmission system Pending CN114091055A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111301976.9A CN114091055A (en) 2021-11-04 2021-11-04 Quantum encryption information transmission system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111301976.9A CN114091055A (en) 2021-11-04 2021-11-04 Quantum encryption information transmission system

Publications (1)

Publication Number Publication Date
CN114091055A true CN114091055A (en) 2022-02-25

Family

ID=80298906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111301976.9A Pending CN114091055A (en) 2021-11-04 2021-11-04 Quantum encryption information transmission system

Country Status (1)

Country Link
CN (1) CN114091055A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826593A (en) * 2022-06-28 2022-07-29 济南量子技术研究院 Quantum security data transmission method and digital certificate authentication system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826593A (en) * 2022-06-28 2022-07-29 济南量子技术研究院 Quantum security data transmission method and digital certificate authentication system

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
CN109257328B (en) Safe interaction method and device for field operation and maintenance data
CN111614637B (en) Secure communication method and system based on software cryptographic module
CN104735068B (en) Method based on the close SIP safety certification of state
CN101212293B (en) Identity authentication method and system
CN110990827A (en) Identity information verification method, server and storage medium
CN104580250A (en) System and method for authenticating credible identities on basis of safety chips
JPH06223041A (en) Rarge-area environment user certification system
CN108323230B (en) Method for transmitting key, receiving terminal and distributing terminal
CN109474419A (en) A kind of living body portrait photo encryption and decryption method and encrypting and deciphering system
CN114692218A (en) Electronic signature method, equipment and system for individual user
CN111435390A (en) Safety protection method for operation and maintenance tool of power distribution terminal
CN114553441B (en) Electronic contract signing method and system
CN114338201B (en) Data processing method and device, electronic equipment and storage medium
CN110611679A (en) Data transmission method, device, equipment and system
CN114091055A (en) Quantum encryption information transmission system
CN106027254A (en) Secret key use method for identity card reading terminal in identity card authentication system
CN106375327B (en) A kind of proxy signature key of anti-malicious attack obscures electronic voting system and method
CN111224784B (en) Role separation distributed authentication and authorization method based on hardware trusted root
CN108551391A (en) A kind of authentication method based on USB-key
CN104883260B (en) Certificate information processing and verification method, processing terminal and authentication server
CN116132986A (en) Data transmission method, electronic equipment and storage medium
CN106027474A (en) Identity card reading terminal in identity card authentication system
JP2007116641A (en) Private information transmitting method
CN115296800A (en) Verification method and system for cipher module firmware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination