CN114362935A - Method for indirect communication of multiple quantum key management terminal devices - Google Patents

Abstract

The invention discloses a method for indirect communication of multiple quantum key management terminal devices, which is characterized in that a quantum Key Management Server (KMS) is respectively connected with two key management client sides KM to be communicated, and indirect communication between two KMs is realized without establishing communication links of multiple KMs. The invention reduces the quantity of communication links established in the network, reduces the network complexity and the load of the whole network communication, and improves the robustness of the network; the number of nodes through which the plaintext of the key passes is reduced, so that the security of the key is further improved.

Description

Method for indirect communication of multiple quantum key management terminal devices

Technical Field

The invention relates to the field of quantum secret communication, in particular to a method for indirect communication of a plurality of quantum key management terminal devices.

Background

Quantum communication is a novel communication mode for information transmission by using quantum superposition states and entanglement effects, and is a novel interdiscipline combining quantum physics and informatics. With the benefit of the rapid development of optical communication technology, quantum secret communication technology based on photons has been gradually applied from theory to engineering. Quantum secure communication can realize absolute safety theoretically, and therefore, the quantum secure communication has attracted wide attention of all social circles.

The main role of quantum secure communication networks is to implement symmetric key sharing between two communicating parties. Since the maximum distance of the unrepeatered quantum secret communication is limited, the long-distance key transmission is completed through the relay node. Currently adopted methods are trusted relays and quantum relays. The difficulty of quantum relay technology is high, the realization is difficult at present, and the credible relay is adopted in the actual quantum secret communication network.

As shown in fig. 1, in an actual quantum secret communication network, there are a large number of user nodes, relay nodes, and backbone network nodes, and data communication between key management terminals is implemented to exchange keys by creating a large number of network connections therebetween. For example: the key sharing between KM1 and KM5 requires establishment of connection links of KM1-KM2, KM2-KM3, KM3-KM4, KM4-KM5, and KMs with each node of KM1-KM5, and maintenance of these links at the time of communication. Obviously, such a method increases the difficulty of link management and also causes resource waste. Meanwhile, in order to ensure safety, authentication between the devices is required to be carried out every time connection is established, communication can be smoothly completed through multiple data and signaling interactions, and challenges are provided for the bearing capacity of a network and the robustness of software.

Therefore, it is necessary to improve the prior art and propose a communication method between quantum key management terminal devices, which can reduce the complexity of the network and reduce the time delay and the network load.

Disclosure of Invention

In order to solve the technical problem, a method for indirect communication of a plurality of quantum key management terminal devices is provided.

In order to achieve the purpose, the technical scheme adopted by the invention is as follows: a method for indirect communication of a plurality of quantum key management terminal devices comprises a KMS and a plurality of KMs, wherein the KMS is connected with each KM through a classical channel of secure authentication respectively, and the method comprises the following steps:

step S1: establishing an indirect communication network among a plurality of KM;

step S2: the plurality of KM are communicated through an established indirect communication network;

in step S1, any two adjacent KMn and KMn +1 between the plurality of kmns establish an indirect communication network, so as to form a sequential connection between the plurality of kmns, and the step of establishing the indirect communication network between any two adjacent KMn and KMn +1 is as follows:

s1-1: the KMn sends a connection establishment request to the KMS, and establishes a network connection session1 with the KMS;

s1-2: the KMS saves 1 the current session of connection;

s1-3: the KMn +1 sends a connection establishment request to the KMS, and establishes a network connection session2 with the KMS;

s1-4: the KMS saves the current session 2;

s1-5: the KMn sends a local ID number to the KMS;

s1-6: the KMS binds the ID number of the KMn with the session1 of the current connection session;

s1-7: the KMn sends the ID number of the adjacent KMn +1 to the KMS;

s1-8: the KMS saves the ID number of the KMn +1 to a session1 of the current connection session;

s1-9: KMn +1 sends the local ID number to KMS;

s1-10: the KMS binds the ID number of the KMn +1 with the session2 of the current connection session;

s1-11: the KMn +1 sends the ID number of the adjacent KMn to the KMS;

s1-12: the KMS saves the ID number of the KMn to a session2 of the current connection;

indirect communication is established between KMn and KMn +1 through the above steps.

Preferably, the binding process between the ID number of the KMn and the current connection session1 in the step S1-6 is as follows:

saving the data by adopting key-value pairs; wherein key represents the ID number of KMn, value represents the current connection session1, and the ID number is known to obtain the connection session 1.

Preferably, the ID number of the KMn +1 in step S1-10 is bound with the current connection session 2: saving the data by adopting key-value pairs; wherein key represents the ID number of KMn +1, value represents the current connection session2, and the connection session2 can be obtained by knowing the ID number.

Preferably, the step of communicating among the plurality of KMs in the plurality of steps S2 is as follows:

s2-1: the KMn transmits data and attaches the ID number of the KMn +1 to a KMS end (namely, a data transmission destination);

s2-2: after receiving the data sent by the KMn, the KMS searches a connection session2 bound with the KMn +1 in all the stored KM connection sessions according to the ID number of the KMn + 1;

s2-3: the KMS forwards data to a KMn +1 end through the connection session 2;

s2-4: after receiving the data forwarded by the KMS, the KMn +1 terminal analyzes the data;

s2-5: the KMn +1 makes response operation according to the analyzed data and sends the response data to the KMS terminal: the ID number of KMn is attached to the response data;

s2-6: after receiving the data sent by the KMn +1, the KMS end searches a connection session1 bound with the KMn in all the stored KM connection sessions according to the ID number attached with the KMn;

s2-7: finding a session1 corresponding to the KMn through the step S2-6, and forwarding the data to the KMn end through the session1 by the KMS;

s2-8: after receiving the data forwarded by the KMS, the KMn end analyzes the data;

to this end, the KMn and KMn +1 indirect communication is completed.

The invention has the beneficial technical effects that:

according to the invention, indirect network connection is established among a plurality of KMs, so that direct connection among the KMs is reduced, unnecessary consumption of system resources and network blocking probability are reduced, meanwhile, the complexity of a network link is reduced, the management efficiency is improved, and multiple equipment safety certification operations are reduced.

Drawings

FIG. 1 is a block diagram of a network architecture of a legacy system;

FIG. 2 is a block diagram of a network architecture of the present invention;

fig. 3 is a flow chart of the present invention for establishing a session between a KMS and a KM;

fig. 4 is a flowchart of establishing a session between KMs according to the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments, but the scope of the present invention is not limited to the following embodiments.

As shown in fig. 1, the method for indirect communication between multiple quantum key management terminal devices reduces links of multiple quantum key management terminals, reduces network complexity, and improves system robustness. The KMS (Key Management Server) is respectively connected with two KM (Key Management client) to be communicated, a plurality of KM communication links are not required to be established, indirect communication between the two KM is realized, the number of nodes through which Key plaintext passes is reduced, and the safety is further improved.

Specifically, a method for indirect communication of multiple quantum key management terminal devices includes a KMS and multiple KMS, where the KMS and each KM are connected through a classical channel of secure authentication, respectively, and the method includes the following steps:

step S1: establishing an indirect communication network among a plurality of KM;

step S2: the plurality of KMs communicate with each other via an indirect communication network.

In step S1, any two adjacent kmns and KMn +1 between the plurality of KMs establish an indirect communication network, where n is 1,2, and 3 … …, thereby forming a sequential connection between the plurality of KMs.

The steps for any two adjacent KMn and KMn +1 to establish an indirect communication network are as follows:

s1-1: the KMn sends a connection establishment request to the KMS, and establishes a network connection session1 with the KMS;

s1-2: the KMS saves 1 the current session of connection;

s1-3: the KMn +1 sends a connection establishment request to the KMS, and establishes a network connection session2 with the KMS;

s1-4: the KMS saves the current session 2;

s1-5: the KMn sends a local ID number to the KMS;

s1-6: the KMS binds the ID number of the KMn with the session1 of the current connection session;

s1-7: the KMn sends the ID number of the adjacent KMn +1 to the KMS;

s1-8: the KMS saves the ID number of the KMn +1 to a session2 of the current connection session;

s1-9: KMn +1 sends the local ID number to KMS;

s1-10: the KMS binds the ID number of the KMn +1 with the session2 of the current connection session;

s1-11: the KMn +1 sends the ID number of the adjacent KMn to the KMS;

s1-12: the KMS saves the ID number of the KMn to a session2 of the current connection;

through the steps, the KMS establishes network connection with the KMn through the session1, establishes network connection with the KMn +1 through the session2, the KMn and the KMn +1 respectively store the ID numbers of the other party, and the KMS can find the corresponding session according to the ID numbers, so that indirect communication between the KMn and the KMn +1 is established.

Preferably, the binding process between the ID number of the KMn and the current connection session1 in the step S1-6 is as follows:

saving the data by adopting key-value pairs; wherein key represents the ID number of KM1, value represents the current connection session1, and the connection session1 is obtained by knowing the ID number.

The ID number of the KMn +1 in the step S2-10 is bound with the session2 of the current connection session: saving the data by adopting key-value pairs; wherein key represents the ID number of KMn +1, value represents the current connection session2, and the ID number is known to obtain the connection session 2.

The steps of communicating among the plurality of KMs in step S2 are as follows:

s2-1: the KMn transmits data and attaches the ID number of the KMn +1 to a KMS end (namely, a data transmission destination);

s2-2: after receiving the data sent by the KMn, the KMS searches a connection session2 bound with the KMn +1 in all the stored KM connection sessions according to the ID number of the KMn + 1;

s2-3: the KMS forwards data to a KMn +1 end through the connection session 2;

s2-4: after receiving the data forwarded by the KMS, the KMn +1 end analyzes the data;

s2-5: the KMn +1 makes response operation according to the analyzed data and sends the response data to the KMS terminal: the ID number of KMn is attached to the response data;

s2-6: after receiving the data sent by the KMn +1, the KMS end searches a connection session1 bound with the KMn in all the stored KM connection sessions according to the ID number attached with the KMn;

s2-7: finding a session1 corresponding to the KMn through the step S2-6, and forwarding the data to the KMn end through the session1 by the KMS;

s2-8: after receiving the data forwarded by the KMS, the KMn end analyzes the data;

to this end, the KMn and KMn +1 indirect communication is completed.

The invention reduces the complexity of the network link to a certain extent and improves the management efficiency; network connection between KM is reduced, unnecessary consumption of system resources can be reduced; the probability of network blockage is reduced; since the equipment security authentication is required every time the connection is established between the KMs, the work of the equipment security authentication for many times can be reduced.

Variations and modifications to the above-described embodiments may occur to those skilled in the art, which fall within the scope and spirit of the above description. Therefore, the present invention is not limited to the specific embodiments disclosed and described above, and some modifications and variations of the present invention should fall within the scope of the claims of the present invention. Furthermore, although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims (4)

1. A method for indirect communication of a plurality of quantum key management terminal devices comprises a KMS key management service system and a plurality of quantum key management terminals KM, wherein the KMS is respectively connected with each KM through a classical channel, and the method comprises the following steps:

step S1: establishing an indirect communication network among a plurality of KM;

step S2: a plurality of KM are communicated through the indirect communication network;

step S1, any two adjacent KMn and KMn +1 between the plurality of KMs establish an indirect communication network, so as to form a sequential connection between the plurality of KMs;

the steps for any two adjacent KMn and KMn +1 to establish an indirect communication network are as follows:

s1-1: the KMn sends a connection establishment request to the KMS, and establishes a network connection session1 with the KMS;

s1-2: the KMS saves 1 the current session of connection;

s1-3: the KMn +1 sends a connection establishment request to the KMS, and establishes a network connection session2 with the KMS;

s1-4: the KMS saves the current session 2;

s1-5: the KMn sends a local ID number to the KMS;

s1-6: the KMS binds the ID number of the KMn with the session1 of the current connection session;

s1-7: the KMn sends the ID number of the adjacent KMn +1 to the KMS;

s1-8: the KMS saves the ID number of the KMn +1 to a session1 of the current connection session;

s1-9: KMn +1 sends the local ID number to KMS;

s1-10: the KMS binds the ID number of the KMn +1 with the session2 of the current connection session;

s1-11: the KMn +1 sends the ID number of the adjacent KMn to the KMS;

s1-12: the KMS saves the local ID number of the KMn to a session2 of the current connection session;

indirect communication is established between KMn and KMn +1 through the above steps.

2. The method for indirect communication among multiple quantum key management terminal devices as claimed in claim 1, wherein the binding of the ID number of KMn and the current connection session1 in step S1-6 is as follows:

storing data of the key-value by adopting a key value; where key denotes the ID number of the KMn and value denotes the current connection session 1.

3. The method for indirect communication among multiple quantum key management terminal devices as claimed in claim 1, wherein the ID number of KMn +1 is bound with the current connection session2 in step S1-10: storing data of the key-value by adopting a key value; where key denotes the ID number of KMn +1 and value denotes the current connection session 2.

4. The method for indirect communication among multiple quantum key management terminal devices as claimed in claim 1, wherein the step of communicating among multiple KMs in step S2 is as follows:

s2-1: the KMn sends data and attaches the ID number of the KMn +1 to the KMS end;

s2-2: after receiving the data sent by the KMn, the KMS searches a connection session2 bound with the KMn +1 in all the stored KM connection sessions according to the ID number of the KMn + 1;

s2-3: the KMS forwards data to the KMn +1 through the session 2;

s2-4: after receiving the data forwarded by the KMS, the KMn +1 end analyzes the data;

s2-5: the KMn +1 makes response operation according to the analyzed data and sends the response data and the ID number of the KMn to the KMS terminal;

s2-6: after receiving the data sent by the KMn +1, the KMS end searches a connection session1 bound with the KMn in all the stored KM connection sessions according to the ID number attached with the KMn;

s2-7: finding a session1 corresponding to the KMn through the step S2-6, and forwarding the data to the KMn end through the session1 by the KMS;

s2-8: after receiving the data forwarded by the KMS, the KMn end analyzes the data;

to this end, the KMn and KMn +1 indirect communication is completed.

Images