CN114726523B - Password application service system and quantum security capability open platform - Google Patents

Password application service system and quantum security capability open platform Download PDF

Info

Publication number
CN114726523B
CN114726523B CN202210537346.XA CN202210537346A CN114726523B CN 114726523 B CN114726523 B CN 114726523B CN 202210537346 A CN202210537346 A CN 202210537346A CN 114726523 B CN114726523 B CN 114726523B
Authority
CN
China
Prior art keywords
quantum
service
key
security
middleware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210537346.XA
Other languages
Chinese (zh)
Other versions
CN114726523A (en
Inventor
左崴东
李成东
戚巍
李明翰
窦东瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cas Quantum Network Co ltd
Beijing Guoke Quantum Co Creation Communication Technology Research Institute Co ltd
Original Assignee
Cas Quantum Network Co ltd
Beijing Guoke Quantum Co Creation Communication Technology Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cas Quantum Network Co ltd, Beijing Guoke Quantum Co Creation Communication Technology Research Institute Co ltd filed Critical Cas Quantum Network Co ltd
Priority to CN202210537346.XA priority Critical patent/CN114726523B/en
Publication of CN114726523A publication Critical patent/CN114726523A/en
Application granted granted Critical
Publication of CN114726523B publication Critical patent/CN114726523B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of quantum communication, and discloses a password application service system and a quantum security capability open platform. In the present invention, a password application service system includes: a QKD network, quantum cryptography application middleware and a quantum security capability open platform; the QKD network is in communication connection with the quantum cryptography application middleware and is used for providing a quantum key for the quantum cryptography application middleware; the quantum password application middleware is in communication connection with the quantum security capability open platform and provides a password service interface for the user side. The quantum cryptography application middleware extracts a quantum key from the QKD network, integrates with partner/content service provider products and technologies through a quantum security capability open platform, and packages the quantum key into standard security capability to realize functions of identity authentication, confidentiality, integrity protection and the like. The limitation of the current point-to-point quantum VPN encryption is avoided, multi-node networking can be realized, the QKD network can be subjected to unified operation/operation and maintenance management, and a service operation network is formed.

Description

Password application service system and quantum security capability open platform
Technical Field
The embodiment of the invention relates to the field of quantum communication, in particular to a password application service system and a quantum security capability open platform.
Background
In the current scheme of the Quantum encryption router, a security interface of a Quantum Key Distribution (QKD) Network is added in an IPSec Virtual Private Network (VPN) gateway, a Quantum Key access and application mechanism is added in an IPSec VPN security policy, a one-time one-Key encryption option based on a Quantum Key is added in an IPSec encryption component, and a policy of preferentially adopting the Quantum Key as a pre-shared password, a session password of a data encryption algorithm and a shared password of an HMAC algorithm is added; the fusion application of the quantum key and the IPSec protocol is realized, and the quantum security of the identity authentication, the message authentication and the data encryption of the IPSec VPN system is improved.
However, the inventors have found that, in the above scheme, there are the following problems: the method realizes point-to-point quantum VPN encryption, cannot realize multi-node networking, has relatively single realization function and insufficient technical expansibility, and does not form a business operation network.
Disclosure of Invention
The invention aims to provide a password application service system and a quantum security capability open platform, avoids the limitation of the current point-to-point quantum VPN encryption, can realize multi-node networking, can carry out unified operation/operation and maintenance management on a QKD network, and can realize cross-domain interconnection and intercommunication to form a service operation network.
In order to solve the above technical problem, an embodiment of the present invention provides a password application service system, including: a quantum key distribution QKD network, quantum cryptography application middleware and a quantum security capability open platform; the QKD network is in communication connection with the quantum cryptography application middleware and is used for providing a quantum key for the quantum cryptography application middleware; the quantum password application middleware is in communication connection with the quantum security capability open platform, provides quantum security capability for the quantum security capability open platform and provides a password service interface for a user side; the quantum security capability open platform is used for interacting with the content service provider server and combining the service provided by the content service provider server with the quantum security capability to form a service with the quantum security capability; the quantum cryptography application middleware is used for providing application with quantum security capability to a user side through a cryptographic service interface according to a quantum key acquired from the QKD network, wherein the quantum security capability comprises the quantum key, an encryption algorithm and a cryptographic protocol.
The embodiment of the invention also provides a quantum security capability open platform which is respectively in communication connection with the content server and the quantum password application middleware and is used for combining the service provided by the content server and the quantum security capability provided by the quantum password application middleware to form the service with the quantum security capability; wherein, the open platform of quantum security ability includes: a registry and a service module; the registration center is used for registering the service capability of the service provided by the content service provider server; the service module is used for providing customized service, key strategy and service support system BSS function which combines the service capability registered by the registration center and the quantum security capability.
The quantum key can be extracted from the QKD network by the quantum cryptography application middleware, and services of a partner/content service provider, such as products or technologies, can be integrated and encapsulated into standard security capability (such as quantum keys, encryption algorithms, cryptographic protocols and the like) through a quantum security capability open platform, so that the application with the quantum security capability is provided for a user side, and the functions of identity authentication, confidentiality, integrity protection and the like are realized. The method realizes the multi-node networking, solves the integration of products or technologies of the QKD network and a partner/content service provider, realizes the unified operation/operation and maintenance management and cross-domain interconnection and intercommunication of the QKD network, and forms a service operation network. Meanwhile, the service deployment and the bearing network are separated to form an independent part so that the cooperation partners/content service providers have the opportunity to participate in competition, the intercommunication among multiple manufacturers and the rapid deployment of new services are facilitated, and the impact and the influence of the evolution of the network on the original services and the new services are avoided to the maximum extent.
In one example, the quantum cryptography application middleware is further operable to provide a management interface to a management system; wherein, the management system includes: the quantum communication network management system QNMS, the quantum communication service support system QBSS and the security center can realize the functions of reporting configuration information, performance information, management information, security information, alarm information and slice information, consumption statistics, account checking and the like by providing management interfaces for the QNMS, the QBSS and the security center, and can report related conditions to the security center in time when the system is attacked maliciously, naturally disasters and other considerable hazards.
In one example, a key engine and an ICT application are deployed on a user side to achieve inter-domain delivery of security capability between quantum cryptography application middleware and the ICT application and between quantum cryptography application middleware and the key engine, so that fusion with the user ICT application is achieved. The quantum cryptography application middleware is used for providing quantum keys for ICT application through the cryptography service interface and providing key factors or key vectors to the key engine through the cryptography service interface, and the key engine is used for deriving a plurality of quantum keys based on the key factors or the key vectors provided by the quantum cryptography application middleware. The key engine can generate a service root key based on the key factor or the key vector, derive a protection working key and a session key based on the service root key, and provide a key management function, thereby realizing functions of data encryption, transmission encryption, process protection, process isolation and the like.
In one example, quantum cryptography application middleware comprises: a plurality of middleware platforms deployed at the network node and a plurality of security engines deployed at the user node; the network nodes comprise access nodes and core nodes; the middleware platform is connected with the security engine and used for carrying out centralized management and control on the security engine; the security engine is connected with a middleware platform deployed at the access node, or the security engine is connected with a middleware platform deployed at the core node, and the middleware platform deployed at the access node is connected with the middleware platform deployed at the core node; the security engine is configured to obtain a quantum key provided for the ICT application from the QKD network and to provide a key factor or key vector to the key engine through the cryptographic service interface.
In one example, a security engine comprises: the system comprises a quantum security gateway, a quantum security service software development kit SDK, a quantum security U shield and a quantum key charging machine; the quantum security gateway works in an online mode or an offline mode and is used for realizing one of the following functions or any combination thereof: quantum key agent, local key management, access authentication, session management, encryption and decryption engine, integrity protection and access control; the quantum security service software development kit SDK works in an online mode or an offline mode according to a loaded hardware environment, is used for providing a uniform API access interface and providing a basic quantum security service function, and the basic quantum security service function comprises one of the following functions or any combination of the following functions: device management, access control, key agreement, cryptographic service, key management; the quantum security U shield works in an offline mode and is used for storing a quantum key and providing a password service for a user side; the quantum key filling machine works in an off-line mode and is used for providing an updated quantum key for the quantum security U shield. The method has the advantages that the loose coupling principle that customer business is not invaded as far as possible is adopted, the safety is guaranteed, meanwhile, the service performance of the customer business is not influenced, further, the quantum security service is guaranteed to fall to the ground in the customer environment, and the method is suitable for various complex actual environments of customers, such as cloud-end environments, privatization environments, Internet of things environments, mobile internet environments and the like. And the quantum key charging machine is safely and credibly accessed to the quantum network nearby, and the quantum key resources are updated to realize safe continuation of the journey for quantum mobile.
In one example, the quantum security U-shield includes one or any combination of the following: the device comprises a U shield, a TF card, a quantum security software password module and an encryption chip.
In one example, a middleware platform includes: the system comprises a service unit, a control unit, an interconnection unit and a key management machine; the service unit is used for providing an open architecture and safety management of quantum application service and a charging function of the service; the control unit is used for providing operation analysis, access control and network operation and maintenance functions; the interconnection unit is used for providing routing management and topology management functions; the key management machine is used for carrying out key management.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
Fig. 1 is a schematic structural diagram of a cryptographic application service system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a network structure of quantum cryptography application middleware according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a flow of a quantum security capability open platform according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an online usage flow in accordance with an embodiment of the present invention;
FIG. 5 is a schematic diagram of an offline usage flow according to an embodiment of the present invention;
FIG. 6 is a roaming flow diagram according to an embodiment of the invention;
fig. 7 is a schematic flow chart illustrating interconnection and interworking between middleware platforms according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not constitute any limitation to the specific implementation manner of the present invention, and the embodiments may be mutually incorporated and referred to without contradiction.
A first embodiment of the present invention relates to a cryptographic application service system, and specifically, as shown in fig. 1, the cryptographic application service system includes: QKD networks, quantum cryptography application middleware, and quantum security capability open platforms.
Wherein the QKD network is in communication with the quantum cryptography application middleware and the QKD network is configured to provide the quantum key to the quantum cryptography application middleware. In one example, the QKD network is communicatively coupled to quantum cryptography application middleware via a quantum key source interface comprising: quantum Key Management ("QKM") Key source interface.
The quantum cryptography application middleware is in communication connection with the quantum security capability open platform, and provides quantum security capability for the quantum security capability open platform, for example, the quantum security capability is provided for the quantum security capability open platform by means of an open API interface, and provides a cryptographic service interface for the user side, for example, a key engine and an Information and Communications Technology (ICT) application are deployed on the user side; quantum cryptographic application middleware provides quantum keys for ICT application through a cryptographic service interface and provides key factors or key vectors to a key engine through the cryptographic service interface; the key engine is used for deriving a plurality of quantum keys based on key factors or key vectors provided by quantum cryptography application middleware. The security capability inter-domain delivery between the quantum cryptography application middleware and the ICT application and between the quantum cryptography application middleware and the key engine can be realized through the communication connection between the cryptographic service interface and the key engine and the ICT application. The quantum cryptography application middleware is also used for providing a management interface for the management system; wherein, the management system includes: a Quantum communication Network Management System (QNMS for short), a Quantum communication service Support System (QBSS for short) and a security center. The key engine is used for deriving a plurality of quantum keys based on key factors or key vectors provided by quantum cryptography application middleware, and can provide a key management function for any environment including cloud services, the key factors or the key vectors can be understood as key information required by key derivation, and the derived quantum keys can be used according to actual business needs, so that the key engine can generate a business root key based on the key factors or the key vectors, derive a protection working key and a session key based on the business root key, and provide a key management function, thereby realizing functions of data encryption, transmission encryption, process protection, process isolation and the like. The ICT application may include applications such as secure transport services, secure storage services, secure escrow services, government and enterprise and industrial Internet application solutions, and the like.
The quantum security capability open platform is used for interacting with a content service provider server, combining services provided by the content service provider server with quantum security capability provided by quantum password application middleware to form services with quantum security capability, and realizing the integration of products or technologies of partners/content service providers into new products/technologies with quantum tags. That is to say, the quantum security capability provided by the quantum password application middleware can be acquired through the quantum security capability open platform, so that the combination of the service provided by the content service provider server and the quantum security capability is realized, the application with the quantum security capability is further developed, and the service is issued to the user through the quantum security capability open platform.
The quantum cryptography application middleware provides the application with quantum security capability to the user side through the cryptographic service interface according to the quantum key acquired from the QKD network, wherein the quantum security capability comprises the quantum key, an encryption algorithm and a cryptographic protocol. For example, the service provided by the content service provider server is traditional situation awareness, and the application with quantum security capability is quantum security situation awareness.
The following describes each component and interface related to the present embodiment in detail.
As shown in fig. 1, the quantum cryptography application middleware includes: a middleware platform and a security engine. The middleware platform is connected with the security engine and is used for carrying out centralized management and control on the security engine; the security engine is configured to obtain a quantum key provided for the ICT application from the QKD network and to provide a key factor or key vector to the key engine through the cryptographic service interface. Wherein, middleware platform includes: the system comprises a service unit, a control unit, an interconnection unit and a key management machine; the security engine includes: the system comprises a quantum security gateway, a quantum security service Software Development Kit (SDK), a quantum security U shield and a quantum key filling machine.
Specifically, the quantum cryptography application middleware includes: a plurality of middleware platforms deployed at the network nodes and a plurality of security engines deployed at the user nodes; the network node comprises an access node and a core node, and the middleware platform is connected with the security engine and used for carrying out centralized management and control on the security engine. The security engine is connected with a middleware platform deployed at the access node, or the security engine is connected with a middleware platform deployed at the core node, and the middleware platform deployed at the access node is connected with the middleware platform deployed at the core node. That is to say, the middleware platform realizes the function of a layered architecture through the interconnection unit, and the middleware platforms of multiple cities form a middleware platform network. The middleware platform network is divided into two levels of a core node and an access node, the access node is connected with the core node and is controlled by the core node across a metropolitan area, and interconnection and intercommunication of a wide area network are realized. The multi-vendor quantum cryptography application middleware realizes cross-domain interconnection and intercommunication through interconnection units and interconnection agents of respective middleware platforms, as shown in fig. 2. The service unit in the middleware platform mainly comprises a quantum application service open architecture and a safety management and service charging module; the control unit comprises functional modules of operation analysis, access control, network operation and maintenance and the like of quantum network safety capacity, and the interconnection unit comprises functional modules of route management, topology management and the like. The middleware platform considers the influence on the protocol system when crossing the safety facility in the process of protocol design, and avoids the problems that the platform cannot communicate and the like after passing through safety equipment such as a gatekeeper, a firewall and the like.
That is to say, the control unit in the middleware platform is configured to provide operation analysis, access control, and network operation and maintenance functions, and specifically may support the following management:
and (3) policy management: and the access control of the security engine node is supported, and the security policy is controlled.
And (4) safety engine management: the management of creation, configuration, updating, query, deletion, backup and the like of the security engine is supported, the attribution of the security engine is supported, and the management of the performance, the alarm, the log and the like of the security engine is supported.
And session management: and session management and session parameter consistency guarantee among the security engines are realized.
And (3) access control: including access control of security engines, access control between different nodes.
Operation, maintenance and management: the middleware platform has the functions of safety management, configuration management, performance management, alarm management, log management, data backup and recovery and the like.
The service unit in the middleware platform is used for providing an open architecture and security management of the quantum application service, and a charging function of the service, and specifically can support the following management:
and (3) quantum key source management: the middleware platform is used for configuring and managing the quantum key sources corresponding to the security engines, supporting the life cycle management strategy of the quantum keys corresponding to the security engines of the platform, and supporting the butt joint with other node middleware platforms to provide the function of inquiring the key sources corresponding to the security engines.
Customer management: and functions of creating, configuring, updating, inquiring, deleting clients and the like are provided.
Application management: the configuration facing the specific application service comprises a client identifier to which the application belongs, an application key generation strategy, an application security reinforcement mode, an application access route, an application access control mode and the like.
Platform portal (optional): the method comprises the steps of selecting quantum security products and opening services according to actual requirements of service users, such as regions, areas and product lines of user group distribution of customers, wherein the selection comprises service catalogs, service introduction, service acquisition, service release, service arrangement, service reports, service visualization large screens, order management, service feedback, service monitoring and the like.
The SaaS platform portal and the user center comprise functions of home page, product management, user management, order management, quantum community, quantum filling, application store and the like.
And (3) application key management: the node middleware platform belongs to the life cycle management strategy of the application key corresponding to each security engine.
And (3) charging gateway: the system should reserve the expansion capability of the charging gateway and provide the functions of receiving and managing the call ticket according to the requirements of the charging system.
The interconnection unit in the middleware platform is used for providing routing management and topology management functions, and may specifically support the following management:
and (3) routing management: the method comprises the steps of route configuration of superior nodes and route management among safety engine nodes, wherein the route management supports interaction of different manufacturer management and control centers.
Topology management: and the visualization function of the connection relation between each middleware platform node and the security engine supports the display of the whole network topology in a left tree and right graph mode. Topology management should support topological functions such as logical views and packet nodes.
The key management machine in the middleware platform is used for carrying out key management, such as key life cycle management, ensuring the safety of the whole life cycle of the password, ensuring that the key (except the public key) is not subjected to unauthorized access, use, leakage, modification and replacement, and ensuring that the public key is not subjected to unauthorized modification and replacement. The key management comprises the steps of password generation, distribution, storage, use, update, archiving, revocation, backup, recovery, destruction and the like.
The security engine in the quantum cryptography application middleware is deployed at a user node and provides a cryptography service based on the QKD technology for a business system of a user. The security engine specifically includes: the system comprises a quantum security gateway, a quantum security service Software Development Kit (SDK for short), a quantum security U shield and a quantum key filling machine. The quantum security gateway works in an online mode or an offline mode and is used for realizing one of the following functions or any combination thereof: quantum key agent, local key management, access authentication, session management, encryption and decryption engine, integrity protection and access control; the quantum security service software development kit SDK works in an online mode or an offline mode according to a loaded hardware environment, and is configured to provide a uniform Application Programming Interface ("API") access Interface and provide a basic quantum security service function, where the basic quantum security service function includes one of the following functions or any combination thereof: device management, access control, key agreement, cryptographic service, key management; the quantum security U shield works in an offline mode and is used for storing a quantum key and providing a password service for a user side; the quantum key filling machine works in an off-line mode and is used for providing an updated quantum key for the quantum security U shield.
In particular, a quantum security gateway within a security engine supports online, offline modes of operation. When the security gateway is in an online mode, the quantum security gateway can distribute a quantum key on line in real time through quantum equipment based on a QKD network; when the quantum security gateway is in an off-line mode, the quantum security gateway can use a quantum security U shield as a password storage/transfer/import and password operation medium to perform quantum key filling through a quantum device and a quantum key filling machine based on a QKD network, and asynchronously and off-line use quantum keys.
The functions supported by the quantum security gateway include:
(1) quantum key agent: the method supports a quantum key agent function and supports an online mode to obtain a quantum key; managing the obtained quantum key full life cycle according to a strategy issued by a middleware platform; and the virtual resource pool performs static mapping and fixes the corresponding physical server.
(2) Local key management: realizing the conversion from the quantum key to the application key according to the strategy issued by the middleware platform; and realizing the full life cycle management of the application key according to the strategy issued by the middleware platform.
(3) And (3) access authentication: realizing access control of an opposite-end security engine according to a strategy issued by a middleware platform; and realizing the access control of the application according to the strategy issued by the middleware platform.
(4) And session management: the management functions of session establishment, heartbeat, active release, timeout release and the like among the security engines, and key negotiation of data encryption and integrity protection among the security engines.
(5) An encryption and decryption engine: performing encryption and decryption service on the application data according to the strategy issued by the middleware platform; and encryption algorithms such as AES, DES, Triple DES, SM4 and the like are supported.
(6) Integrity protection: according to the strategy issued by the middleware platform, integrity protection and verification are carried out on the application data; support MD5, SHA-1, SHA-256, SHA-512, SM3 and other encryption algorithms.
(7) And (3) access control: supporting the security isolation between different security domains, performing security access control between the security domains according to a policy issued by a middleware platform, triggering security check when service data flows between different security domains, implementing a security policy, and controlling a service message according to the policy; the functions of packet filtering, state detection, application layer message filtering, distributed denial of service attack resistance, deep packet detection and the like are provided, and a user-defined black and white list control list is supported.
The SDK in the security engine supports the rapid integration application of the ICT application and the quantum cryptography application middleware, provides a uniform API access interface, hides the technical details and protocols of the quantum network and the quantum cryptography application middleware, and facilitates the ICT cryptography application equipment/system integration development. The ICT application client accesses the functions of the quantum security service such as authentication, authorization and password distribution, which are provided by the quantum security service application middleware, through a standardized API (application programming interface) provided by the SDK (software development kit), and provides a basic password service and key management function interface. The quantum security service software development kit SDK/API refers to the national cipher industry standard (GM/T) and has basic quantum security service functions of equipment management, access control, key agreement, cipher service, a key management interface for butting a cipher manager and the like.
The quantum security U shield in the security engine is a terminal password device which has password operation and key management capability and can provide password service, and the quantum security U shield is mainly used for storing quantum keys and completing functions of data encryption and decryption, data integrity verification, digital signature, access control and the like. The system comprises a quantum security U shield, a quantum security TF card, a quantum security software cryptographic module, an encryption chip and the like.
A quantum key charging machine in the security engine is a 'endurance station' of quantum key resources, and security media such as a quantum security U shield and a quantum security TF card can be safely and reliably accessed to a quantum network through the quantum key charging machine to update the quantum key resources and achieve quantum mobile security endurance. The quantum key filling machine obtains the quantum key from the key management machine of the middleware platform in real time through the special communication port, and fills the quantum key by utilizing interfaces such as a local USB (universal serial bus) interface, a MicroSD (micro secure digital) interface and the like, so that a product can be smoothly connected to various system platforms, and the requirement of mobile filling of the quantum key under various application scenes is met.
The quantum security capability open platform in the password application service system is an open service platform for rapidly deploying services, and aims to provide services for users, and separates service deployment and a carrier network into independent parts so that third-party service providers have an opportunity to participate in competition, and the quantum security capability open platform is beneficial to intercommunication among multiple manufacturers and rapid deployment of new services. The quantum security capability open platform adopts an open, standard and uniform network application programming interface API, and provides a service loading means for third-party manufacturers. Through these APIs, service applications can conveniently utilize the service capabilities of the bearer network without having to know the bearer network signaling details.
As shown in fig. 1, the quantum security capability open platform in the cryptographic application service system includes: a registry and a service module. The registration center is used for registering the service capability of the service provided by the content service provider server; the service module is used for providing a customized service, a key strategy and a service Support System (BSS) function which combines the service capability registered by the registry and the quantum security capability. The registration center is used for registering service capacity and registering a partner/content service provider, the content service provider can also be used as a developer on a quantum security capacity open platform, traditional products are combined with quantum security capacity by calling an API (application program interface) opened by quantum password application middleware, fusion of quantum and ICT (information and communication technology) application is realized, and value-added services are provided for users.
Specifically, the registry is used for realizing the registration of a basic mechanism of a quantum security capability open platform, namely service capability characteristics. The service capabilities provided by the content provider server may be registered in a registry, which may inform applications of available service functionality upon request, similar to discovery mechanisms. This mechanism applies, for example, when installing or upgrading service capabilities. When an application of a third-party service provider (i.e. a content service provider) applies for a certain service, the application is authenticated by the registry, and thus a relationship between the service and the application is established, that is, which applications apply for which services can be determined. The service module abstracts the service capability of the carrier network into services with quantum security capability, and the service capability is provided and supported by the content service provider server. The content service provider can combine the service capability provided by the quantum security capability open platform with the ICT application of the content service provider, and provide the application with the quantum security capability for the user. The capability provided by the capability openness platform mainly comprises three main categories of service customization, key strategy and BSS function.
The cryptographic application service system as shown in fig. 1 further includes various types of interfaces to satisfy the differentiated demands among different types of clients, partners, and content service providers. The following describes the cryptographic service interface, the quantum key source interface, and the management interface according to this embodiment, respectively:
password service interface: the quantum cryptography application middleware is provided for clients, can be connected with a key engine, provides an API (application programming interface) or flow delivery mode, and provides quantum security services with dimensions such as data transmission, storage, authentication and the like for users. For API delivery, the quantum cryptography application middleware provides key factors or key vectors to the key engine through the cryptographic service interface. For the delivery mode of the traffic, the quantum cryptography application middleware is mainly responsible for encrypting or decrypting the service application data (or the session key) by using the quantum key provided by the key management machine, that is, transmitting the traffic through the interface. In addition, the password service interface can be deeply integrated with the ICT service application of the user. For example: the method comprises the steps of carrying out quantum communication safety capability delivery by using diversified security engines in fusion application fields such as receiving/mirror image backup, vertical industry application and industrial internet on fusion situation perception data and user application sides such as infrastructure application fields such as cloud desktops or cloud platforms and the like in a deep user service scene, and helping various enterprise services (such as application systems, network equipment and cloud resources) to have quantum safety capability support through deep combination of various types of security engines and various service-bearing application systems, network equipment and cloud resources (containers, cloud servers, cloud databases and the like) in a user network.
Quantum key source interface: mainly comprising QKM a key source interface, located between quantum cryptography application middleware and the QKD network. The quantum cryptography application middleware obtains the cryptography from the QKD network through the interface, and the specific implementation is realized by a quantum key service SDK. The QKM key source interface realizes communication between the SDK and QKM, and is realized by calling QKM interface protocol, and adopts TCP/IP protocol, and the functions include initialization, equipment information reading, counter initialization, application/destruction session, application password and password consistency check. The quantum key service SDK is deployed in a system, provides a uniform API access interface, and hides the technical protocol details of a bottom quantum network and quantum equipment. An application program of the quantum cryptography application middleware accesses a quantum network such as a QKD network and a quantum device key source through an API interface provided by a quantum key service SDK.
And (3) management interface: quantum cryptography application middleware provides a management API to a management system. Wherein, the management system includes: QNMS, QBSS, and a security center.
Specifically, the management API provided to the QNMS is used to provide the management capabilities of the data through device, firewall and server devices to the QNMS. The management APIs provided to the QNMS may include: the system comprises an alarm service interface, a configuration service interface and a performance service interface, so as to realize the report of configuration information, performance information, management information, safety information, alarm information and slice information.
Because the quantum password application middleware interacts with the quantum security capability open platform and the service relationship of API consumption and settlement exists, the quantum password application middleware is used for transmitting information such as CRM (customer relationship management), order form, charging and the like to the system through the management API provided for the QBSS; and aiming at the consumption condition of the platform client to the purchased quantum service, the consumption statistics and account checking functions are carried out through the charging module, and the related data are synchronized to the operation center and the user center.
The management API provided for the security center supports access to the national unified security management center and the centralized management center. When the system is attacked by malicious attacks, natural disasters and other considerable hazards, the relevant conditions can be reported to the security center in time.
The architecture of the cryptographic application service system of the present embodiment is explained above, and the application of the cryptographic application service system of the present embodiment is explained below by using a specific example.
Example 1: the quantum security capability open platform has the following use process:
as shown in fig. 3, the content service provider server first needs to register its own service capability with the registry, i.e. abstract the service capability of the bearer network into a set of services. Second, the content service provider also needs to authenticate and authorize at the registry. The business level agreement is then signed by the registry discovering and selecting services. After the service agreement is established, the application program of the content service provider can realize the interaction with the platform service function. The content service provider application calls the service through the quantum security capability open platform, and the service is transmitted to the quantum password application middleware through the protection and reinforcement gateway by the quantum security capability open platform, so that quantum security capability is provided for the user.
Example 2: an online usage flow taking the secure transmission service of the ICT application as an example includes steps 1 to 5 shown in fig. 4:
step 1: quantum cryptography employs authorization and network access procedures inside middleware. And the security engine deployed on the user side initiates a network access request to the middleware platform. And the middleware platform authenticates and authorizes the security engine. After successful authorization, the security engine initializes the service interface, configuration information, key policies, and the like. And the middleware platform synchronously updates the security engine information. And the middleware platform issues a service strategy, a configuration strategy and a key strategy to the security engine.
Step 2: the security engine at user 1 requests secure transmission of data to user 2 while the clear text traffic is submitted to the security engine.
And step 3: the security engine requests a password from the QKD network under the management of the middleware platform. The QKD network negotiates in real time on both user 1 and user 2 sides to generate a pair of quantum keys and passes the pair of passwords to the corresponding security engines, respectively.
And 4, step 4: the security engine at user 1 encrypts the plaintext traffic using the obtained quantum key, and then transmits the ciphertext traffic to the security engine at user 2 from other ways, such as the internet.
And 5: the security engine at user 2 decrypts the ciphertext traffic using the corresponding quantum key and then passes the plaintext to user 2. Therefore, quantum secure transmission of traffic between two places is completed, and fusion between the convergence classification service provided by the content service provider server and quantum security capability comprising a quantum key, an encryption algorithm and a cryptographic protocol is realized.
Example 3: the offline usage flow includes steps 1 to 4 as shown in fig. 5:
step 1: and the branch user inserts the quantum security U shield into the quantum key filling machine to request quantum key filling.
Step 2: and the QKD network passes authentication, and symmetric quantum keys are distributed for the quantum security gateways of the branch quantum security U shield and the headquarters.
And step 3: the branch user inserts the quantum security U shield into an office terminal (a notebook or a mobile phone), and encrypts plaintext data by using services provided by a headquarter service system.
And 4, step 4: and the quantum security gateway of the headquarters receives the ciphertext, decrypts the ciphertext data and forwards the plaintext to the service system. Thus, quantum secure transmission of data traffic between the office terminal and the headquarters is accomplished.
Example 4: the roaming process includes steps 1 to 5 as shown in fig. 6:
step 1: the user B belonging to the middleware platform B in Shanghai initiates the location update in the visited Beijing, namely the user B initiates the location update to the middleware platform A.
And 2, step: the user B returns to the home middleware platform B (Shanghai) for identity authentication and authorization through the signaling addressing of the middleware platform A (Beijing).
And 3, step 3: and B, the user identity authentication and authorization passes, and the user is confirmed to be a valid user.
And 4, step 4: the middleware platform a (beijing) at the visited place provides the key agreement and encryption and decryption services for the user.
And 5: and B, the user, the middleware platform and the middleware platform settle the roaming fee according to the pre-signed roaming agreement.
Example 5: the interconnection and intercommunication flow among the middleware platforms, and the inter-domain delivery and cross-domain intercommunication functions among the middleware platforms are realized by the intercommunication agent. Assuming that security engine a1 in middleware platform a needs to communicate with security engine B1 in middleware platform B, and middleware platforms a and B open the interworking function, the interworking flow between middleware platforms includes steps 1 to 4 as shown in fig. 7:
step 1: the interworking agent receives the communication request initiated by the middleware platform a where security engine a1 resides.
Step 2: the interworking agent converts the data packet of the middleware platform A into the data packet of the middleware platform B and sends the data packet to the middleware platform B.
And 3, step 3: the middleware platform B receives the data packet from the interworking agent, sends the data packet to the security engine B1, and responds to the interworking agent with a message.
And 4, step 4: the interworking agent converts the received data packet from the middleware platform B into a data packet of the middleware platform A, and sends the data packet to the middleware platform A, so that cross-domain communication between the security engine A1 and the security engine B1 is realized.
Therefore, the password application service system provided by this embodiment can implement the usage of a quantum security capability open platform, the online/offline usage of quantum password application middleware, the roaming function, and the interconnection function between middleware platforms, which are not described herein in detail.
Another embodiment of the present invention relates to a quantum security capability open platform, which is in communication connection with a content server and a quantum password application middleware, respectively, for combining a service provided by the content server with a quantum security capability provided by the quantum password application middleware to form a service with quantum security capability; wherein, the open platform of quantum security ability includes: a registry and a service module; the registration center is used for registering the service capability of the service provided by the content service provider server; the service module is used for providing customized service, key strategy and service support system BSS function which combines the service capability registered by the registry and the quantum security capability.
The quantum cryptographic application middleware can extract a quantum key from the QKD network, is integrated with a partner/content service provider product and technology through a quantum security capability open platform, and is packaged into standard security capability (such as a quantum key, an encryption algorithm, a cryptographic protocol and the like), so that cryptographic service is provided for ICT application and a key engine, and functions of identity authentication, confidentiality, integrity protection and the like are realized. The method realizes the networking of multiple nodes, solves the problem of product and technology integration of the QKD network and a partner/content service provider, and the problem of inter-domain delivery of the safety capacity between quantum cryptography application middleware, ICT application and a key engine, and simultaneously realizes the unified operation/operation and maintenance management and cross-domain interconnection of the QKD network, thereby forming a service operation network. Meanwhile, the service deployment and the bearing network are separated to form an independent part so that a partner/content service provider has an opportunity to participate in competition, the intercommunication among multiple manufacturers and the rapid deployment of new services are facilitated, and the impact and the influence of the evolution of the network on the original services and the new services are avoided to the maximum extent.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.

Claims (8)

1. A cryptographic application service system, comprising:
a Quantum Key Distribution (QKD) network communicatively coupled with quantum cryptography application middleware, the QKD network configured to provide quantum keys to the quantum cryptography application middleware;
quantum cryptography application middleware, which is in communication connection with a quantum security capability open platform, provides quantum security capability to the quantum security capability open platform, and provides a cryptographic service interface to a user side, where the user side is deployed with a key engine and an Information and Communication Technology (ICT) application, where the quantum cryptography application middleware provides a quantum key for the ICT application through the cryptographic service interface, and provides a key factor or a key vector to the key engine through the cryptographic service interface, and the key engine is configured to derive a plurality of quantum keys based on the key factor or the key vector provided by the quantum cryptography application middleware;
the quantum security capability open platform is used for interacting with a content service provider server and combining the service provided by the content service provider server with the quantum security capability to form a service with quantum security capability;
the quantum cryptography application middleware provides routing and topology and is used for providing application with quantum security capability to a user side through the cryptographic service interface according to a quantum key acquired from the QKD network, wherein the quantum security capability comprises the quantum key, an encryption algorithm and a cryptographic protocol;
wherein the quantum cryptography application middleware comprises: a plurality of middleware platforms deployed at network nodes and a plurality of security engines deployed at user nodes, the network nodes including access nodes and core nodes; the middleware platform is connected with the security engine and is used for carrying out centralized management and control on the security engine; the security engine is connected with a middleware platform deployed at the access node, or the security engine is connected with a middleware platform deployed at the core node, and the middleware platform deployed at the access node is connected with the middleware platform deployed at the core node; the security engine is configured to obtain a quantum key provided for the ICT application from the QKD network, and provide a key factor or key vector to the key engine through the cryptographic service interface.
2. The cryptographic application service system of claim 1, wherein the quantum cryptographic application middleware is further configured to provide a management interface to a management system;
wherein the management system comprises: the system comprises a quantum communication network management system QNMS, a quantum communication service support system QBSS and a security center.
3. The cryptographic application service system of claim 1, wherein the security engine comprises: the system comprises a quantum security gateway, a quantum security service Software Development Kit (SDK), a quantum security U shield and a quantum key filling machine;
the quantum security gateway works in an online mode or an offline mode and is used for realizing one of the following functions or any combination thereof: quantum key agent, local key management, access authentication, session management, encryption and decryption engine, integrity protection and access control;
the quantum security service software development kit SDK works in an online mode or an offline mode according to a loaded hardware environment, and is used for providing a uniform application program interface API access interface and providing basic quantum security service functions, wherein the basic quantum security service functions comprise one of the following functions or any combination thereof: device management, access control, key agreement, cryptographic service, key management;
the quantum security U shield works in an offline mode and is used for storing a quantum key and providing a password service for a user side;
the quantum key filling machine works in an off-line mode and is used for providing an updated quantum key for the quantum security U shield.
4. The cryptographic application service system of claim 3, wherein the quantum security Ushield comprises one or any combination of the following: the system comprises a U shield, a TF card, a quantum security software password module and an encryption chip.
5. The cryptographic application service system of claim 1, wherein the middleware platform comprises: the system comprises a service unit, a control unit, an interconnection unit and a key management machine;
the service unit is used for providing an open architecture and safety management of quantum application service and a charging function of service; the control unit is used for providing operation analysis, access control and network operation and maintenance functions; the interconnection unit is used for providing routing management and topology management functions; the key management machine is used for carrying out key management.
6. The cryptographic application service system of any one of claims 1 to 5, wherein the quantum security capability open platform comprises: a registry and a service module;
the registration center is used for registering the service capability of the service provided by the content service provider server;
the service module is used for providing a customized service, a key strategy and a service support system (BSS) function which combines the service capability registered by the registration center and the quantum security capability.
7. The cryptographic application service system of any one of claims 1 to 5, wherein the QKD network and the quantum cryptographic application middleware are communicatively connected through a quantum key source interface;
wherein the quantum key source interface comprises: quantum key manager QKM key source interface.
8. The quantum security capability open platform is respectively in communication connection with a content server and a quantum password application middleware, and is used for combining services provided by the content server with quantum security capability provided by the quantum password application middleware to form services with quantum security capability;
wherein the quantum security capability open platform comprises: a registration center and a service module; the registration center is used for registering the service capability of the service provided by the content service provider server; the service module is used for providing a customized service, a key strategy and a service support system (BSS) function which combines the service capability registered by the registration center with the quantum security capability;
wherein the quantum cryptography application middleware comprises: a plurality of middleware platforms deployed at network nodes and a plurality of security engines deployed at user nodes, the network nodes including access nodes and core nodes; the middleware platform is connected with the security engine and is used for carrying out centralized management and control on the security engine; the security engine is connected with a middleware platform deployed at the access node, or the security engine is connected with a middleware platform deployed at the core node, and the middleware platform deployed at the access node is connected with the middleware platform deployed at the core node; the security engine is used for acquiring quantum keys provided for ICT application from the QKD network, providing the quantum keys for the ICT application through the cryptographic service interface, and providing key factors or key vectors to the key engine through the cryptographic service interface, wherein the key engine is used for deriving a plurality of quantum keys based on the key factors or the key vectors provided by the quantum cryptographic application middleware;
the quantum cryptography application middleware provides routing and topology, and is used for providing applications with quantum security capability to a user side through the cryptography service interface according to quantum keys acquired from the QKD network, the user side is deployed with a key engine and Information and Communication Technology (ICT) applications, and the quantum security capability comprises quantum keys, an encryption algorithm and a cryptographic protocol.
CN202210537346.XA 2022-05-18 2022-05-18 Password application service system and quantum security capability open platform Active CN114726523B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210537346.XA CN114726523B (en) 2022-05-18 2022-05-18 Password application service system and quantum security capability open platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210537346.XA CN114726523B (en) 2022-05-18 2022-05-18 Password application service system and quantum security capability open platform

Publications (2)

Publication Number Publication Date
CN114726523A CN114726523A (en) 2022-07-08
CN114726523B true CN114726523B (en) 2022-09-13

Family

ID=82232297

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210537346.XA Active CN114726523B (en) 2022-05-18 2022-05-18 Password application service system and quantum security capability open platform

Country Status (1)

Country Link
CN (1) CN114726523B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115567205A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for realizing encryption and decryption of network session data stream by quantum key distribution
CN115567206A (en) * 2022-09-29 2023-01-03 中电信量子科技有限公司 Method and system for realizing encryption and decryption of network data message by quantum distribution key
CN116055091B (en) * 2022-11-15 2024-01-09 中电信量子科技有限公司 Method and system for realizing IPSec VPN by adopting software definition and quantum key distribution

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102196425B (en) * 2011-07-01 2013-04-03 安徽量子通信技术有限公司 Quantum-key-distribution-network-based mobile encryption system and communication method thereof
US11042609B2 (en) * 2017-08-03 2021-06-22 Cable Television Laboratories, Inc. Systems and methods for secure element registration and provisioning
CN109842485B (en) * 2017-11-26 2021-07-20 成都零光量子科技有限公司 Centralized quantum key service network system
CN111865589B (en) * 2020-08-14 2023-09-08 国科量子通信网络有限公司 Quantum communication encryption system and method for realizing mobile communication quantum encryption transmission
CN113824718B (en) * 2021-09-18 2022-11-25 国科量子通信网络有限公司 Quantum network access security middleware platform system
CN114285550A (en) * 2021-12-09 2022-04-05 成都量安区块链科技有限公司 Quantum security key service network, system and node device

Also Published As

Publication number Publication date
CN114726523A (en) 2022-07-08

Similar Documents

Publication Publication Date Title
CN114726523B (en) Password application service system and quantum security capability open platform
US11165604B2 (en) Method and system used by terminal to connect to virtual private network, and related device
CN111131258B (en) Safe private network architecture system based on 5G network slice
KR101438243B1 (en) Sim based authentication
US8327437B2 (en) Securing network traffic by distributing policies in a hierarchy over secure tunnels
EP2767029B1 (en) Secure communication
WO2004034645A1 (en) Identification information protection method in wlan interconnection
CN103155512A (en) System and method for providing secured access to services
EP2547051B1 (en) Confidential communication method using vpn, a system and program for the same, and memory media for program therefor
EP2689597A1 (en) A flexible system and method to manage digital certificates in a wireless network
JP2003501891A (en) Method and apparatus for communicating securely
Xu et al. BE-RAN: Blockchain-enabled open RAN with decentralized identity management and privacy-preserving communication
JP2004241976A (en) Mobile communication network system and method for authenticating mobile terminal
US7694015B2 (en) Connection control system, connection control equipment and connection management equipment
CN103188228B (en) A kind of method, security gateway and system for realizing End-to-End Security protection
TW202142011A (en) A method for preventing encrypted user identity from replay attacks
CN100499649C (en) Method for realizing safety coalition backup and switching
US20080222693A1 (en) Multiple security groups with common keys on distributed networks
Cremonini et al. Security, privacy, and trust in mobile systems and applications
Khozooyi et al. Security in mobile governmental transactions
CN114640514B (en) Security service system, access control method, and computer-readable storage medium
Prasad et al. Infrastructure Security for Future Mobile Communication System
CN115567196A (en) Quantum security cryptosystem and infrastructure
Fongen Protected and controlled communication between military and civilian networks
CN116723555A (en) Terminal access and data distribution method and system based on 5G-R

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant