CN114697039A - Identity authentication method of quantum cipher network expansion network equipment - Google Patents

Identity authentication method of quantum cipher network expansion network equipment Download PDF

Info

Publication number
CN114697039A
CN114697039A CN202011638249.7A CN202011638249A CN114697039A CN 114697039 A CN114697039 A CN 114697039A CN 202011638249 A CN202011638249 A CN 202011638249A CN 114697039 A CN114697039 A CN 114697039A
Authority
CN
China
Prior art keywords
key
quantum
network
server
external equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011638249.7A
Other languages
Chinese (zh)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Institute Of Quantum Science And Technology Co ltd
Quantumctek Co Ltd
Original Assignee
Shandong Institute Of Quantum Science And Technology Co ltd
Quantumctek Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Institute Of Quantum Science And Technology Co ltd, Quantumctek Co Ltd filed Critical Shandong Institute Of Quantum Science And Technology Co ltd
Priority to CN202011638249.7A priority Critical patent/CN114697039A/en
Publication of CN114697039A publication Critical patent/CN114697039A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Abstract

The invention provides an identity authentication method of quantum cryptography network expansion network equipment, which comprises the following steps: and (3) authentication when the external equipment acquires the quantum key: the method comprises the steps that network access information of the external equipment is authenticated, after the authentication is successful, a quantum cipher network server side generates a quantum key, a server side key and an external equipment key, and sends the quantum key and the external equipment key to the external equipment; the identity authentication when the external equipment and the quantum cipher network server end carry out encryption communication is as follows: and the external equipment selects a key from the received quantum keys, encrypts the key by using the generated server-side key to generate a ciphertext, and sends the ciphertext to the quantum cipher network server side for decryption and authentication. The method and the device ensure the security of the network access authentication information of the external equipment and improve the identity authentication security during encrypted communication.

Description

Identity authentication method of quantum cipher network expansion network equipment
Technical Field
The disclosure belongs to the technical field of quantum key communication, and relates to an identity authentication method for quantum cryptography network expansion network equipment.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
Quantum cryptography networks are an emerging secure network. It includes two networks: a classical communication network (classical internet or mobile internet) and a Quantum Key Distribution (QKD) network. The QKD network generates quantum keys, and the classical communication network uses quantum keys generated by the QKD network for quantum secure communications. The terminals or servers in the quantum cryptography network can perform quantum secret communication through the shared quantum key, which is equivalent to that a quantum secret communication link, or quantum secret channel, is arranged between the terminals or servers.
Due to the construction and use cost of the QKD network, user requirements and the like, the quantum cryptography network is small in scale, the number of terminal users of the quantum cryptography network is far smaller than that of internet users, and some terminal users of the quantum cryptography network are limited by the quantum key distribution rate and can only use the quantum key to carry out secret communication in a short time.
The strict equipment identity authentication of the quantum cryptography network on the network access equipment is a very important aspect for ensuring the security of the quantum cryptography network system. The access of the quantum cryptography network expansion network equipment also needs strict identity authentication. Different from the access of the quantum cipher network equipment, the access authentication of the quantum cipher network expansion network equipment comprises two aspects, namely the identity authentication when the quantum cipher network expansion network equipment is accessed to the network through a quantum cipher network terminal to download a quantum key, and the identity authentication when the quantum cipher network expansion network equipment is in encrypted communication with the quantum cipher network equipment based on the quantum key through the downloaded quantum key. The first aspect is to prevent a quantum key from being distributed to an illegal device, and the second aspect is to prevent an illegal device from performing encrypted communication with a quantum cryptography network device using a legitimate quantum key.
However, the inventor knows that the prior art extended network device (mobile terminal device, quantum key card, mobile storage device, etc.) identity authentication method has the following disadvantages:
identity authentication when the expansion network equipment uses the downloaded quantum key for encryption communication is not considered;
the identity authentication method for quantum key encryption communication by using the expanded network equipment has potential safety hazards or security holes.
Some prior art schemes are used to illustrate the above problems, for example, patent No. CN 105812367 a discloses an authentication system and an authentication method for network access devices in a quantum network, which implement verification of the legal identity of a user device by the quantum network system. The patent scheme is suitable for accessing the quantum cryptography network, and the identity authentication of network access equipment for encrypted communication is carried out by using a quantum gateway of the quantum cryptography network, and is not suitable for the equipment authentication when the quantum cryptography network expansion equipment carries out encrypted communication by using a downloaded quantum key.
The utility model with the reference number CN 204967834U discloses a mobile device secret communication system based on quantum cryptography, which downloads quantum keys to a quantum cryptography network through a mobile device terminal and utilizes the quantum keys to perform encrypted communication between mobile terminals. The patent performs identity authentication on the mobile equipment when the quantum key is downloaded and the quantum key is used for encryption communication, but the patent neglects the encryption protection of identity authentication information when the mobile equipment is subjected to identity authentication, and thus potential safety hazards are left for the identity authentication of the mobile equipment.
Document No. CN 108173649 a discloses a message authentication system and a message authentication method based on a quantum key fob, in which a seed key is downloaded to a quantum network service station through the quantum key fob, and two clients generate a message authentication code based on a common seed key between the belonging quantum key fobs to implement mutual authentication of the identities of the other parties during communication. The patent realizes the identity authentication of the quantum key card when downloading the seed key, but the identity authentication method during communication is easy to be attacked by a counterfeit middle man and has security holes because the identity authentication is carried out between two clients which do not finish the identity authentication.
Disclosure of Invention
The present disclosure provides an identity authentication method for a quantum cryptography network extension network device to solve the above problems, and the present disclosure can realize strict identity authentication when the quantum cryptography network extension network device obtains a quantum key through a quantum cryptography network and when encrypted communication is performed through the quantum cryptography network.
Firstly, in order to ensure that the technical scheme is clearer and simpler, the following necessary descriptions are carried out:
the quantum cipher network expansion network equipment is called quantum cipher network external equipment, which is referred to as external equipment for short.
The network terminal equipment with the functions of quantum key distribution, quantum key management and quantum key encryption and decryption is called quantum cipher network terminal for short.
The classic network communication device which does not have the quantum key distribution function (does not have access to the quantum key distribution network) but can obtain the quantum key through physical downloading or through a classic network encryption channel and carry out encryption communication based on the quantum key is called as quantum cryptography network extension network device.
Classical network users (internet users or mobile internet users) can download quantum keys to quantum cipher network terminals and carry out encrypted communication based on the quantum keys through the stored quantum keys.
A quantum key distribution service station is established at a quantum cipher network terminal to provide key distribution downloading service for classical network communication equipment, so that the number of quantum cipher network expansion network equipment can be increased, and the coverage range of quantum key-based encrypted communication in the Internet is increased.
According to some embodiments, the following technical scheme is adopted in the disclosure:
an identity authentication method of quantum cryptography network expansion network equipment comprises the following steps:
and (3) authentication when the external equipment acquires the quantum key: the method comprises the steps that network access information of the external equipment is authenticated, after the authentication is successful, a quantum cipher network server side generates a quantum key, a server side key and an external equipment key, and sends the quantum key and the external equipment key to the external equipment;
the identity authentication when the external equipment and the quantum cipher network server end carry out encryption communication is as follows: and the external equipment selects a key from the received quantum keys, encrypts the key by using the generated server-side key to generate a ciphertext and sends the ciphertext to a quantum cipher network server-side for decryption and authentication.
As an alternative implementation, in the process of authenticating the network access information of the external device, if the authentication is unsuccessful, the quantum cryptography network server refuses to provide the key distribution service to the external device.
As an alternative implementation, the process of generating the server-side key and the external device key includes: selecting a random number R1According to a random number R1And the network access authentication code MACB of the external equipment generates a server side key, wherein the key of the external equipment is a random number R1
As an alternative implementation, after receiving the quantum key, the external device performs key partitioning and sequential numbering on the quantum key according to a preset length, and meanwhile, the external device stores the key.
In an alternative embodiment, the quantum cryptography network server performs key division and synchronization sequence numbering of a preset length on the generated quantum keys, encrypts each quantum key by using a server key to generate a new key, and the new key has the same length as the quantum key before encryption and maintains the same number.
As an alternative implementation, the specific process of the external device selecting a key from the received quantum keys includes: the external equipment selects a quantum key K which is not used or the number of use times of which is lower than the set number of use times from the quantum keys, the serial number of the quantum key K is set to be N, the network access authentication information is used for generating a network access authentication code MACB, a key KS is generated by using a key KB of the external equipment and the MACB, and the quantum key K is encrypted by using the key KS for generating Kau; and (4) still storing the quantum key with the number of N as K, and adding 1 to the use times of K.
As an alternative embodiment, the encrypting with the generated server-side key to generate the ciphertext includes: the external device generates a public key PauB by using Kau as a private key according to a prearranged encryption algorithm M, and selects a random number R2Encrypting R using the public key PauB2Generating a ciphertext E (R)2PauB), the external device will number N, random number R2 andciphertext E (R)2PauB) to the server end of the quantum cryptography network.
As an alternative implementation, the specific process of the quantum cryptography network server side for decryption authentication includes: the quantum cipher network server receives the number N and the random number R2And ciphertext E (R)2PauB), selecting a key KauS with the serial number N in KS, and decrypting E (R) by adopting an encryption algorithm M and using the key KauS as a private key2PauB) to give R'2If R'2=R2The authentication is successful.
As an alternative embodiment, the encryption algorithm M is a LWE-based lattice public key algorithm.
An identity authentication system of quantum cryptography network extension network equipment comprises a quantum cryptography network server and external equipment, wherein:
the quantum cipher network server end comprises a network access authentication server, a key distribution server and a quantum cipher network terminal;
the network access authentication server is configured to execute identity authentication when the external device acquires the quantum key: the method comprises the steps that network access information of the external equipment is authenticated, and after the authentication is successful, a server side key and an external equipment key are respectively sent to a key distribution server and a quantum cipher network terminal to inform the key distribution server and the quantum cipher network terminal to distribute quantum keys;
the quantum cipher network terminal is configured to receive an external device key sent by the network access authentication server, distribute a quantum key with the key distribution server, and send the generated quantum key and the external device key to the external device;
the external equipment and the key distribution server respectively divide and sequentially number the shared quantum keys;
the key distribution server is configured to execute identity authentication when the external device and the quantum cryptography network server side perform encryption communication: and receiving a key selected by the external equipment from the quantum keys, encrypting the key by using the generated server-side key, generating a ciphertext, and performing decryption authentication. Compared with the prior art, the beneficial effect of this disclosure is:
the method comprises the steps that a network access authentication server is established, equipment authentication is carried out on external equipment which is accessed to a quantum cipher network and downloads a quantum key, when the equipment is authenticated, the external equipment is accessed to the quantum cipher network through a quantum cipher network terminal, network access authentication information is provided for the network access authentication server through a quantum secret channel, and network access authentication is applied for the network access authentication, so that the security of the network access authentication information of the external equipment is guaranteed; identity authentication is carried out through the network access authentication server, and the external equipment can access any quantum cipher network terminal to obtain the quantum key through physics.
After the access authentication of the external equipment accessing the quantum cipher network terminal to download the quantum key is successful, the access authentication server encrypts the shared quantum key between the key distribution server and the external equipment by constructing the shared quantum key encryption key KS so that the ciphertext of the shared quantum key contains the identity authentication information of the external equipment, and the identity authentication of the external equipment is realized when the external equipment uses the shared quantum key to carry out encryption communication.
The quantum key encryption key KS disclosed by the invention is composed of a network access authentication code MACB and a random number R of external equipment1Generation of R1It is ensured that the key distribution server obtains the KS without obtaining the MACB information, which is advantageous for protecting the security of the MACB information. The quantum key encryption key KS of the expansion equipment is input by a user to authenticate information to generate MACB when the quantum key is used for carrying out encryption communication, and then the MACB and the R are generated1The method generates the quantum key encryption key KS in real time, and guarantees the security of the quantum key encryption key KS to the maximum extent, so that the identity authentication security during encryption communication is improved.
According to the method, when the external equipment uses the shared secret key to carry out encryption communication, the identity authentication of the external equipment is realized by adopting the lattice public key password encryption technology, and compared with a classic encryption algorithm based on computational complexity and the security of a lattice password constructed based on an LWE algorithm, the method has higher cracking complexity, quantum attack resistance and higher security.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and are not to limit the disclosure.
FIG. 1 is a system configuration diagram of the present embodiment;
FIG. 2 is a connection state diagram of the external device during network access authentication for downloading quantum keys;
fig. 3 is a schematic diagram of the identity authentication process of the external device B.
The specific implementation mode is as follows:
the present disclosure is further described with reference to the following drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
An identity authentication method of quantum cryptography network expansion network equipment is used for achieving identity authentication when the quantum cryptography network expansion network equipment obtains a quantum key through a quantum cryptography network and when encrypted communication is conducted through the quantum cryptography network.
For convenience of reference, the quantum cryptography network expansion network device is referred to as a quantum cryptography network external device, which is referred to as an external device for short.
An external device network access authentication server (simply referred to as a network access authentication server) and a key distribution server are established in a quantum cryptography network. The network access authentication server is used for network access authentication of the external equipment of the quantum cryptography network. The network access authentication server records authentication information of the external equipment and a network access authentication code generated by the authentication information, and is used for identity authentication when the external equipment accesses the network and downloads the quantum key. The key distribution server is used for distributing the quantum key to the external equipment, the external equipment uses the quantum key to carry out information relay of encrypted communication through a quantum cipher network, and the key distribution server is used for identity authentication when the external equipment carries out the encrypted communication of the quantum key.
Firstly, identity authentication when external equipment acquires a quantum key:
the external equipment B accesses the quantum cipher network through the quantum cipher network terminal A, provides network access authentication information for the network access authentication server through a quantum secret channel and applies for network access authentication. The network access authentication server authenticates the network access information provided by the external equipment B, and the key distribution server S refuses to provide key distribution service for the external equipment B when the authentication is unsuccessful; if the authentication is successful, the authentication server sends a server-side key KS for key distribution this time to the key distribution server through a quantum secret channel and provides an external device key KB for key distribution this time to the external device B, and the method for generating the KS and the KB comprises the following steps:
selecting random number R by network access authentication server1Reading the stored network access authentication code MACB of the external equipment B, and using R1And MACB generates KS, KB ═ R1
After the network access authentication is successful, the key distribution server S and the terminal A carry out quantum key distribution, the external device B stores the quantum key obtained from the terminal A, carries out key division and sequential numbering on the quantum key according to the appointed length, and simultaneously stores the key KB sent by the network access authentication server;
and the key distribution server S performs key division and synchronous sequence numbering on the shared quantum keys in the same way as the external equipment B, encrypts each quantum key by using a key KS to generate a new key, wherein the new key has the same length as the quantum key before encryption, keeps the same number, and all the new keys are represented by symbols KS.
Secondly, identity authentication when the external equipment B and the key distribution server S carry out encryption communication:
when the external device B uses the quantum key to carry out encryption communication, firstly, identity authentication is required to be carried out when the external device B carries out encryption communication to the key distribution server S, and the authentication process is as follows:
1. the external equipment selects a quantum key K which is not used or the number of use times of which is lower than the set number of use times from the quantum keys, the serial number of the quantum key K is set to be N, the network access authentication information is used for generating a network access authentication code MACB, a key KS is generated by using KB and MACB, and the quantum key K is encrypted by using the key KS to generate Kau; the quantum key with the number of N is still stored as K, and the use frequency of the K is added by 1;
2. according to a predetermined public key encryption algorithm M, the external device B uses Kau as a private key to generate a public key PauB, and selects a random number R2Encrypting R using the public key PauB2Generating a ciphertext E (R)2PauB), peripheral B will N, R2And ciphertext E (R)2PauB) to S;
3. the key distribution server S receives N, R2And ciphertext E (R)2PauB), the key distribution server S is at KSSelecting a key KauS with the serial number of N, adopting an encryption algorithm M to decrypt E (R) by using the key KauS as a private key2(PauB) to give R'2If R'2=R2And the authentication is successful.
As an alternative embodiment, the algorithm M is a LWE-based lattice public key algorithm.
As a typical embodiment, the method relies on a system structure of identity authentication of a quantum cryptography network extension network device, as shown in fig. 1.
The whole system comprises a network access authentication server and a key distribution server which are positioned in the quantum cryptography network, and external equipment which does not belong to the quantum cryptography network.
The network access authentication server is positioned in the quantum cipher network and is responsible for network access authentication of the external equipment accessing the network through the quantum cipher network terminal in order to download the quantum key. The unconditional security of the quantum cryptography network encryption communication determines that the quantum cryptography network encryption communication needs high system security, and strict network access authentication management must be carried out on network access equipment.
The external device needs to register in the network access authentication server before accessing the network, and provides necessary authentication information including a device ID, an authentication password of a device user or a device administrator, or a biometric characteristic used for authentication. When the external equipment is accessed to the quantum cipher network through the quantum cipher network terminal in a physical mode, the authentication information is sent to the network access authentication server through the quantum secret channel through the quantum cipher network terminal. And the network access authentication server verifies the correctness of the authentication information of the external equipment, and if the correctness is verified, the authentication information of the external equipment and the network access authentication code generated by the authentication information are recorded.
The key distribution server is also positioned in the quantum cipher network, provides key distribution service for the external equipment which is accessed into the quantum cipher network through the quantum cipher network terminal, and manages the quantum key which is downloaded by the external equipment and shared with the external equipment. The method comprises the steps that encrypted data of the external equipment which carries out encryption communication based on the quantum key enter a quantum cipher network through a key distribution server, and the key distribution server firstly carries out identity authentication on the external equipment when carrying out quantum secret communication with the external equipment, so that the legality of the encrypted communication data is verified. The key distribution server is used as a safety transfer of data encryption communication and is a firewall for expanding network encryption communication data to enter a quantum cryptography network.
The external equipment is equipment which is located in a classical network, does not belong to a quantum cryptography network, can realize encryption communication based on a quantum key, and belongs to an expansion network of the quantum cryptography network. The external device can be a mobile device or a fixed device. The mobile external equipment can be directly and externally connected into the quantum cipher network in a physical mode through the quantum cipher network terminal, the network access authentication server needs to authenticate the equipment identity, and the quantum key is distributed to the equipment after the authentication is successful. If the external equipment is fixed, an equipment administrator can also access the quantum password network in a physical mode through a mobile hard disk or a special mobile hard disk through a quantum password network terminal, the network access authentication server needs to authenticate the identity of the administrator of the external equipment, and after the authentication is successful, the mobile hard disk downloads the quantum key distributed by the network access authentication server and copies the quantum key to the fixed external equipment in a physical mode.
As shown in fig. 2, the system connection state diagram when the external device accesses the network to authenticate downloading the quantum key. The details are as follows:
the external equipment B is physically connected with the quantum cipher network terminal through a memory, authentication information is input through the quantum cipher network terminal A, the authentication information is sent to the network access authentication server through a quantum secret communication link between the quantum cipher network terminal and the network access authentication server, the network access authentication server verifies the network access authentication information, if the verification is successful, a server side key and an external equipment key are respectively sent to the key distribution server S and the quantum cipher network terminal A through the quantum secret communication link, and meanwhile, the key distribution server S and the quantum cipher network terminal A are informed to carry out quantum key distribution. And S carries out quantum key distribution through the quantum link and the quantum cryptography network terminal A. And the memory of the external equipment B stores the quantum key.
The external equipment B accesses the quantum cipher network through the quantum cipher network terminal A, provides network access authentication information for the network access authentication server through a quantum secret channel and applies for network access authentication. The network access authentication server authenticates the network access information provided by the external equipment B, and the key distribution server S refuses to provide key distribution service for the external equipment B when the authentication is unsuccessful; if the authentication is successful, the authentication server sends the server-side key KS of the key distribution to the key distribution server, and provides an external device key KB of the key distribution to the external device B, wherein the generation method of the KS and the KB comprises the following steps:
selecting random number R by network access authentication server1Reading the stored network access authentication code MACB of the external equipment B, and using R1And MACB generates KS, KB ═ R1(ii) a The network access authentication server sends the key KS to the key distribution server through the quantum secret channel, and simultaneously sends the key KB to the quantum cipher network terminal A through the quantum secret channel.
After the network access authentication is successful, the network access authentication server informs the key distribution server S to perform quantum key distribution with the quantum cipher network terminal A, the external equipment B stores the quantum key acquired from the quantum cipher network terminal A, and the encryption is performed according to the appointed lengthDividing keys and numbering in sequence, simultaneously storing a key KB sent by an authentication server by an external device B, and accessing a quantum cipher network to download the quantum key and the key KB by the external device B through a mobile hard disk at a quantum cipher network terminal A if the external device B is a fixed external device; and the key distribution server S performs key division and synchronous serial numbering on the quantum keys according to the same mode as the external equipment B, encrypts each quantum key by using the key KS to generate a new key, wherein the data length of each new key is equal to that of the quantum key before encryption, and the key number is unchanged. All new keys take the symbol KSAnd (4) showing.
When the external device B uses the quantum key to perform encrypted communication, it first needs to perform identity authentication when performing encrypted communication to the key distribution server S. Fig. 3 is a flowchart of the external device B implementing identity authentication through the key distribution server S, which is detailed as follows:
1. the external equipment B selects to generate an authentication key
The external equipment selects a quantum key K which is not used or the number of use times of which is lower than the set number of use times from the quantum keys, the serial number of the quantum key K is set to be N, the network access authentication information is used for generating a network access authentication code MACB, a key KS is generated by using KB and MACB, and the quantum key K is encrypted by using the key KS to generate Kau; the quantum key with the number of N is still stored as K, and the use frequency of the K is added by 1;
2. the external equipment B generates an authentication ciphertext by using the authentication key
According to a pre-agreed public key encryption algorithm M, the external device B uses Kau as a private key to generate a public key PauB, and selects a random number R2Encrypting R using the public key PauB2Generating a ciphertext E (R)2PauB), peripheral B will N, R2And ciphertext E (R)2PauB) to a key distribution server S;
3. key distribution server S verifies the authentication ciphertext
The key distribution server S receives N, R2And ciphertext E (R)2PauB), the key distribution server S is at KSSelecting a key KauS with the serial number of N, adopting an encryption algorithm M to decrypt E (R) by using the key KauS as a private key2PauB) to give R'2If R'2=R2The authentication is successful.
The public key encryption algorithm M described in this embodiment is a lattice public key algorithm, and public key construction and encrypted communication are implemented by using a lattice cipher based on the learning error problem (LWE). Compared with a classic encryption algorithm based on computational complexity, the lattice code constructed based on the LWE algorithm has higher cracking computational complexity, quantum attack resistance and higher safety.
Because of the particularity of the structure of the lattice cipher public key constructed based on the LWE algorithm, different public keys can be generated by using the same private key each time, the public keys used for encrypting communication data can be different each time, and when the same secret key is repeatedly used for authentication, the encrypted public keys can still be kept to be different, so that the safe use times of the authentication secret key are increased, and the difficulty of secret key cracking is increased.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Although the present disclosure has been described with reference to specific embodiments, it should be understood that the scope of the present disclosure is not limited thereto, and those skilled in the art will appreciate that various modifications and changes can be made without departing from the spirit and scope of the present disclosure.

Claims (10)

1. An identity authentication method of quantum cryptography network expansion network equipment is characterized in that: the method comprises the following steps:
and (3) authentication when the external equipment acquires the quantum key: authenticating network access information of the external equipment, after authentication is successful, generating a quantum key, a server key and an external equipment key by a quantum cryptography network server, and sending the quantum key and the external equipment key to the external equipment;
the identity authentication when the external equipment and the quantum cipher network server end carry out encryption communication is as follows: and the external equipment selects a key from the received quantum keys, encrypts the key by using the generated server-side key to generate a ciphertext, and sends the ciphertext to the quantum cipher network server side for decryption and authentication.
2. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 1, characterized by: and in the process of authenticating the network access information of the external equipment, if the authentication is unsuccessful, the quantum password network server refuses to provide the key distribution service for the external equipment.
3. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 1, characterized by: the generation process of the server side key and the external device key comprises the following steps: selecting a random number R1According to a random number R1And the network access authentication code MACB of the external equipment generates a server side key, wherein the key of the external equipment is a random number R1
4. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 1, characterized by: and after receiving the quantum key, the external equipment performs key division and sequential numbering on the quantum key according to a preset length, and stores the key.
5. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 1, characterized by: the quantum cipher network server-side performs key division and synchronous sequence numbering of preset length on the generated quantum keys, and encrypts each quantum key by using the server-side key to generate a new key KSThe new key is equal to the quantum key before encryption in length and keeps the same number.
6. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 4, characterized by: the specific process of selecting a key from the received quantum keys by the external device comprises the following steps: the external equipment selects a quantum key K which is not used or the number of use times of which is lower than the set number of use times from the quantum keys, the serial number of the quantum key K is set to be N, the network access authentication information is used for generating a network access authentication code MACB, a key KS is generated by using a key KB of the external equipment and the MACB, and the quantum key K is encrypted by using the key KS for generating Kau; and (4) still storing the quantum key with the number of N as K, and adding 1 to the use times of K.
7. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 6, characterized by: the specific process of encrypting the cipher text by using the generated server side key comprises the following steps: the external device generates a public key PauB by using Kau as a private key according to a prearranged encryption algorithm M, and selects a random number R2Encrypting R using the public key PauB2Generating a ciphertext E (R)2PauB), the external equipment will number N, random number R2And ciphertext E (R)2PauB) to the quantum cryptography network server side.
8. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 7, characterized by: the specific process of carrying out decryption authentication by the quantum cryptography network server comprises the following steps: the quantum cipher network server receives the number N and the random number R2And ciphertext E (R)2PauB) after, at KSSelecting a key KauS with the serial number of N, adopting an encryption algorithm M to decrypt E (R) by using the key KauS as a private key2PauB) to give R'2If R'2=R2And the authentication is successful.
9. The identity authentication method of quantum cryptography network expansion network equipment as claimed in claim 8, characterized by: the encryption algorithm M is a lattice public key algorithm based on LWE.
10. An identity authentication system of quantum cryptography network extension network equipment is characterized in that: including quantum cryptography network server end and external device, wherein:
the quantum cipher network server end comprises a network access authentication server, a key distribution server and a quantum cipher network terminal;
the network access authentication server is configured to execute identity authentication when the external device acquires the quantum key: the method comprises the steps that network access information of the external equipment is authenticated, and after the authentication is successful, a server side key and an external equipment key are respectively sent to a key distribution server and a quantum cipher network terminal to inform the key distribution server and the quantum cipher network terminal to distribute quantum keys;
the quantum cipher network terminal is configured to receive an external device key sent by the network access authentication server, distribute a quantum key with the key distribution server, and send the generated quantum key and the external device key to the external device;
the external equipment and the key distribution server respectively divide and sequentially number the shared quantum keys;
the key distribution server is configured to execute identity authentication when the external device and the quantum cryptography network server side perform encryption communication: and receiving a key selected by the external equipment from the quantum keys, encrypting the key by using the generated server-side key, generating a ciphertext, and performing decryption authentication.
CN202011638249.7A 2020-12-31 2020-12-31 Identity authentication method of quantum cipher network expansion network equipment Pending CN114697039A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011638249.7A CN114697039A (en) 2020-12-31 2020-12-31 Identity authentication method of quantum cipher network expansion network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011638249.7A CN114697039A (en) 2020-12-31 2020-12-31 Identity authentication method of quantum cipher network expansion network equipment

Publications (1)

Publication Number Publication Date
CN114697039A true CN114697039A (en) 2022-07-01

Family

ID=82134821

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011638249.7A Pending CN114697039A (en) 2020-12-31 2020-12-31 Identity authentication method of quantum cipher network expansion network equipment

Country Status (1)

Country Link
CN (1) CN114697039A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015073317A (en) * 2014-12-09 2015-04-16 株式会社東芝 Communication device and key management method
CN105515780A (en) * 2016-01-12 2016-04-20 浙江神州量子网络科技有限公司 System and method for authenticating identity based on quantum key
CN110391905A (en) * 2019-08-07 2019-10-29 北京盛世光明软件股份有限公司 A kind of internet behavior auditing system and method based on quantum key encryption technology
US20190394031A1 (en) * 2018-01-11 2019-12-26 Beijing Guodian Tong Network Technology Co., Ltd Method and device for quantum key fusion-based virtual power plant security communication and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015073317A (en) * 2014-12-09 2015-04-16 株式会社東芝 Communication device and key management method
CN105515780A (en) * 2016-01-12 2016-04-20 浙江神州量子网络科技有限公司 System and method for authenticating identity based on quantum key
US20190394031A1 (en) * 2018-01-11 2019-12-26 Beijing Guodian Tong Network Technology Co., Ltd Method and device for quantum key fusion-based virtual power plant security communication and medium
CN110391905A (en) * 2019-08-07 2019-10-29 北京盛世光明软件股份有限公司 A kind of internet behavior auditing system and method based on quantum key encryption technology

Similar Documents

Publication Publication Date Title
CN107317674B (en) Key distribution and authentication method, device and system
CN107612899B (en) OpenVPN secure communication method and communication system based on quantum key
CN106412862B (en) short message reinforcement method, device and system
CN106130716B (en) Key exchange system and method based on authentication information
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
US20100135491A1 (en) Authentication method
CN108809633B (en) Identity authentication method, device and system
CA2518032A1 (en) Methods and software program product for mutual authentication in a communications network
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
CN108848495B (en) User identity updating method using preset key
CN108964897B (en) Identity authentication system and method based on group communication
CN108471352A (en) Processing method, system, computer equipment based on distributed private key and storage medium
CN111464301A (en) Key management method and system
CN113497778A (en) Data transmission method and device
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
CN110493177B (en) Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number
CN114765543A (en) Encryption communication method and system of quantum cryptography network expansion equipment
TWI422241B (en) Spectrum authorization and related communications methods and apparatus
CN101160780A (en) Dominated cipher key updating method and apparatus
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN110012467A (en) The packet authentication method of narrowband Internet of Things
GB2488753A (en) Encrypted communication
CN114070579A (en) Industrial control service authentication method and system based on quantum key
CN115865520B (en) Authentication and access control method with privacy protection in mobile cloud service environment
CN116743372A (en) Quantum security protocol implementation method and system based on SSL protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination