CN116743372A - Quantum security protocol implementation method and system based on SSL protocol - Google Patents
Quantum security protocol implementation method and system based on SSL protocol Download PDFInfo
- Publication number
- CN116743372A CN116743372A CN202310897927.9A CN202310897927A CN116743372A CN 116743372 A CN116743372 A CN 116743372A CN 202310897927 A CN202310897927 A CN 202310897927A CN 116743372 A CN116743372 A CN 116743372A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- protocol
- data
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 12
- 238000004891 communication Methods 0.000 claims abstract description 11
- 238000004422 calculation algorithm Methods 0.000 claims description 93
- 230000006835 compression Effects 0.000 claims description 77
- 238000007906 compression Methods 0.000 claims description 77
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000010354 integration Effects 0.000 abstract description 3
- 238000007689 inspection Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 4
- 238000004806 packaging method and process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/04—Protocols for data compression, e.g. ROHC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The application provides a quantum security protocol implementation method and a system based on an SSL protocol, which relate to the technical field of quantum secret communication and comprise the following steps: step A: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol; and (B) step (B): and dividing the query request or the plaintext data returned by the data center into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by the client. The application can realize the integration of the quantum key distribution technology and the network security protocol, prevent the secret leakage of service data and the tamper resistance of inspection data, and strengthen the security of information transmission.
Description
Technical Field
The application relates to the technical field of quantum secret communication, in particular to a quantum security protocol implementation method and system based on an SSL protocol.
Background
After twenty-first century, quantum computers developed rapidly, which would pose a great threat to the existing mainstream public key system, and mainstream public key algorithms, such as RSA algorithm based on a large number of decomposition, would be easily broken by quantum computers, while encryption is performed in the existing browser security protocol SSL using an asymmetric encryption manner, so that the encryption manner of the browser has become more and more difficult to meet the security requirement.
Quantum secret communication is considered as one of important means capable of ensuring information security, and Quantum Key Distribution (QKD) is the technology that has been the fastest moving to engineering practicability in quantum secret communication, and is an important direction in quantum communication. QKD based on the fundamental nature of quantum physics rather than computational complexity, key QKD techniques that can share information in an absolutely secure manner over quantum channels between spatially separated users do not directly transfer information, but rather do distribute keys, after key agreement both parties can get the same quantum key, then encrypt plaintext with the quantum key, and then transmit ciphertext over classical channels.
Disclosure of Invention
Aiming at the defects in the prior art, the application provides a quantum security protocol implementation method and a quantum security protocol implementation system based on an SSL protocol.
According to the quantum security protocol implementation method and system based on the SSL protocol, the scheme is as follows:
in a first aspect, a quantum security protocol implementation method based on SSL protocol is provided, where the method includes:
step A: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol;
and (B) step (B): dividing the inquiring request or the plaintext data returned by the data center into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by a client;
when SSL connection is established, the handshake protocol is firstly carried out, and the safety of both communication parties is ensured through relevant steps including identity verification and algorithm negotiation; successful completion of the handshake protocol will result in the generation of quantum key frame headers and other security parameters that will be used for data encryption and integrity protection of the record layer protocol, which, once handshake is successful, will encrypt and protect the transmission of upper layer application data using quantum keys and algorithms negotiated during the handshake phase.
Preferably, the step a includes:
step A1: the Client sends Client Hello message and Server return Server Hello message to the Server; the method comprises the steps that a client initiates and informs a server of supportable encryption algorithm combinations, an encryption suite list and a session ID, and the server selects an encryption algorithm and a compression algorithm from the encryption suite list transmitted by the client and returns the encryption algorithm and the compression algorithm together with the session ID;
step A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client;
step A3: if the server requires the client certificate, executing the stage, wherein the client firstly verifies whether the server provides a legal certificate, and if the server meets the condition, sending a client certificate message and a certificate authentication message to the server;
step A4: and finishing a handshake protocol, sending finishing information by the client, calculating the MAC value of plaintext data by using a quantum key, encrypting the MAC value and the Finished character segment by using a negotiated encryption algorithm, transmitting the encrypted value and the Finished character segment to the server, calculating the MAC value after the server decrypts and finishes identifying the Finished character segment, returning finishing information if the MAC values are the same, and immediately terminating the session if the MAC values are different.
Preferably, the MAC algorithm is: and calculating an MAC value according to the plaintext data and the quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext data by using the quantum key to obtain a final ciphertext.
Preferably, the step B includes:
step B1: cutting the plaintext data into data segments;
step B2: c, compressing the data segment by the compression algorithm selected in the step A, wherein the compressed data segment is called a compression unit, and if the compression algorithm is not selected, the data segment is not compressed by default;
step B3: extracting a corresponding quantum key by utilizing quantum key frame header information negotiated by a handshake protocol, calculating MAC values of the quantum key and a compression unit, and encrypting the compression unit and the MAC values by using the quantum key, wherein the encrypted compression unit and the MAC values are called as an encryption unit;
step B4: adding record information in an encryption unit, wherein the record information comprises high-layer protocol information, protocol version and compressed length information;
step B5: and transmitting the data to the client, and decrypting after the client receives the encrypted information.
Preferably, the sliced data block is 16 kbytes in length.
Preferably, the compressed compression unit length is no more than 1024 bytes.
In a second aspect, a quantum security protocol implementation system based on SSL protocol is provided, the system comprising:
module a: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol;
module B: dividing the inquiring request or the plaintext data returned by the data center into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by a client;
when SSL connection is established, the handshake protocol is firstly carried out, and the safety of both communication parties is ensured through relevant steps including identity verification and algorithm negotiation; successful completion of the handshake protocol will result in the generation of quantum key frame headers and other security parameters that will be used for data encryption and integrity protection of the record layer protocol, which, once handshake is successful, will encrypt and protect the transmission of upper layer application data using quantum keys and algorithms negotiated during the handshake phase.
Preferably, the module a comprises:
module A1: the Client sends Client Hello message and Server return Server Hello message to the Server; the method comprises the steps that a client initiates and informs a server of supportable encryption algorithm combinations, an encryption suite list and a session ID, and the server selects an encryption algorithm and a compression algorithm from the encryption suite list transmitted by the client and returns the encryption algorithm and the compression algorithm together with the session ID;
module A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client;
module A3: if the server requires the client certificate, executing the stage, wherein the client firstly verifies whether the server provides a legal certificate, and if the server meets the condition, sending a client certificate message and a certificate authentication message to the server;
module A4: completing a handshake protocol, sending completion information by a client, calculating an MAC value of plaintext data by using a quantum key, encrypting the MAC value and a Finished character segment by using a negotiated encryption algorithm, transmitting the encrypted value and the Finished character segment to a server, calculating the MAC value after the server decrypts and completes the identification of the Finished character segment, returning completion information if the MAC values are the same, and immediately terminating the session if the MAC values are different;
the MAC algorithm is: calculating an MAC value according to the plaintext data and the quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext data by using the quantum key to obtain a final ciphertext;
the module B includes:
module B1: cutting plaintext data into data segments, wherein the length of the cut data blocks is 16K bytes;
module B2: the data segment is compressed through the compression algorithm selected in the module A, the compressed data segment is called a compression unit, and if the compression algorithm is not selected, the compression is not performed by default; the length of the compressed compression unit is not more than 1024 bytes;
module B3: extracting a corresponding quantum key by utilizing quantum key frame header information negotiated by a handshake protocol, calculating MAC values of the quantum key and a compression unit, and encrypting the compression unit and the MAC values by using the quantum key, wherein the encrypted compression unit and the MAC values are called as an encryption unit;
module B4: adding record information in an encryption unit, wherein the record information comprises high-layer protocol information, protocol version and compressed length information;
module B5: and transmitting the data to the client, and decrypting after the client receives the encrypted information.
In a third aspect, a computer readable storage medium storing a computer program is provided, which when executed by a processor implements steps in the quantum security protocol implementation method based on SSL protocol.
In a fourth aspect, an electronic device is provided, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, which when executed by the processor implements steps in the quantum security protocol implementation method based on SSL protocol.
Compared with the prior art, the application has the following beneficial effects:
1. the application can realize the integration of the quantum key distribution technology and the network security protocol, prevent the leakage of business data and the tamper resistance of inspection data, and strengthen the security of information transmission;
2. the quantum security protocol disclosed by the application can be compatible with a traditional symmetric encryption algorithm, and the traditional system is not required to be changed too much;
3. the quantum security protocol based on the SSL protocol uses the secret key distributed by the quantum secret key to replace an asymmetric encryption algorithm, can resist the attack of a quantum computer, and has unconditional security.
Other advantages of the present application will be set forth in the description of specific technical features and solutions, by which those skilled in the art should understand the advantages that the technical features and solutions bring.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, given with reference to the accompanying drawings in which:
fig. 1 is a handshake protocol of a quantum security protocol based on SSL protocol;
fig. 2 is a recording layer protocol of the quantum security protocol based on the SSL protocol.
Detailed Description
The present application will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the present application, but are not intended to limit the application in any way. It should be noted that variations and modifications could be made by those skilled in the art without departing from the inventive concept. These are all within the scope of the present application.
The embodiment of the application provides a quantum security protocol implementation method based on an SSL protocol, which is shown by referring to FIG. 1, and specifically comprises the following steps:
step A: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol;
and (B) step (B): and cutting the plaintext data into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by a client.
When SSL connection is established, the handshake protocol is firstly carried out, and the safety of both communication parties is ensured through the steps of identity verification, algorithm negotiation and the like. Successful completion of the handshake protocol results in the generation of quantum key frame headers and other security parameters that will be used for data encryption and integrity protection of the record layer protocol. Once the handshake is successful, the recording layer protocol will encrypt and protect the transmission of the upper layer application data using quantum keys and algorithms negotiated during the handshake phase.
Specifically, step a includes:
step A1: the Client sends Client Hello message and Server return Server Hello message to the Server; the method comprises the steps that a client initiates and informs a server of supportable encryption algorithm combinations, compression algorithm combinations (namely an encryption suite list) and session IDs, and the server selects the encryption algorithm and the compression algorithm from the encryption suite list transmitted by the client and returns the encryption algorithm and the compression algorithm together with the session IDs;
step A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client;
step A3: if the server requires the client certificate, executing the stage, wherein the client firstly verifies whether the server provides a legal certificate, and if the server meets the condition, sending a client certificate message and a certificate authentication message to the server;
step A4: and finishing a handshake protocol, wherein the client sends finishing information, calculates the MAC value of plaintext data (comprising the used encryption algorithm, compression algorithm and quantum key frame header information) by using the quantum key, encrypts the MAC value and the Finished character segment by using the negotiated encryption algorithm, transmits the encrypted MAC value and the Finished character segment to the server, and calculates the MAC value after finishing decryption of the Finished character segment, if the MAC values are the same, the finishing information is returned, and if the MAC values are different, the session is terminated immediately.
Wherein, the MAC algorithm is: and calculating an MAC value according to the plaintext data and the quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext data by using the quantum key to obtain a final ciphertext.
The step B comprises the following steps:
step B1: the plaintext data is segmented into data segments, the segmented data block length is 16K bytes, and the plaintext data can be a query request or plaintext information returned by a data center.
Step B2: c, compressing the data segment by the compression algorithm selected in the step A, wherein the compressed data segment is called a compression unit, and if the compression algorithm is not selected, the data segment is not compressed by default; the compressed compression unit length is not more than 1024 bytes.
Step B3: and extracting a corresponding quantum key by utilizing quantum key frame header information negotiated by a handshake protocol, calculating MAC values of the quantum key and the compression unit, and encrypting the compression unit and the MAC values by using the quantum key, wherein the encrypted compression unit and the MAC values are called as an encryption unit.
Step B4: adding record information in an encryption unit, wherein the record information comprises high-layer protocol information, protocol version and compressed length information, and packaging the record information into a TCP data packet;
step B5: and transmitting the data to the client, and decrypting after the client receives the encrypted information.
The application also provides a quantum security protocol implementation system based on the SSL protocol, which can be implemented by executing the flow steps of the quantum security protocol implementation method based on the SSL protocol, namely, a person skilled in the art can understand the quantum security protocol implementation method based on the SSL protocol as a preferred implementation mode of the quantum security protocol implementation system based on the SSL protocol. The system specifically comprises:
module a: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol;
module B: and cutting the plaintext data into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by a client.
When SSL connection is established, the handshake protocol is firstly carried out, and the safety of both communication parties is ensured through the steps of identity verification, algorithm negotiation and the like. Successful completion of the handshake protocol results in the generation of quantum key frame headers and other security parameters that will be used for data encryption and integrity protection of the record layer protocol. Once the handshake is successful, the recording layer protocol will encrypt and protect the transmission of the upper layer application data using quantum keys and algorithms negotiated during the handshake phase.
Specifically, module a includes:
module A1: the Client sends Client Hello message and Server return Server Hello message to the Server; the method comprises the steps that a client initiates and informs a server of supportable encryption algorithm combinations, compression algorithm combinations (namely an encryption suite list) and session IDs, and the server selects the encryption algorithm and the compression algorithm from the encryption suite list transmitted by the client and returns the encryption algorithm and the compression algorithm together with the session IDs;
module A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client;
module A3: if the server requires the client certificate, executing the stage, wherein the client firstly verifies whether the server provides a legal certificate, and if the server meets the condition, sending a client certificate message and a certificate authentication message to the server;
module A4: and finishing a handshake protocol, transmitting finishing information by the client, calculating by using a quantum key, including an encryption algorithm, a compression algorithm and an MAC value of quantum key frame header information, encrypting the MAC value and the Finished character segment by using a negotiated encryption algorithm, transmitting the encrypted and Finished character segment to the server, calculating the MAC value after finishing decryption of the Finished character segment, and if the MAC values are the same, returning finishing information, and if the MAC values are different, immediately terminating the session.
Wherein, the MAC algorithm is: and calculating an MAC value according to the plaintext data and the quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext data by using the quantum key to obtain a final ciphertext.
The module B comprises:
module B1: the plaintext data is segmented into data segments, the segmented data block length is 16K bytes, and the plaintext data can be a query request or plaintext information returned by a data center.
Module B2: the data segment is compressed through the compression algorithm selected in the module A, the compressed data segment is called a compression unit, and if the compression algorithm is not selected, the compression is not performed by default; the compressed compression unit length is not more than 1024 bytes.
Module B3: and extracting a corresponding quantum key by utilizing quantum key frame header information negotiated by a handshake protocol, calculating MAC values of the quantum key and the compression unit, and encrypting the compression unit and the MAC values by using the quantum key, wherein the encrypted compression unit and the MAC values are called as an encryption unit.
Module B4: adding record information in an encryption unit, wherein the record information comprises high-layer protocol information, protocol version and compressed length information, and packaging the record information into a TCP data packet;
module B5: and transmitting the data to the client, and decrypting after the client receives the encrypted information.
Next, the present application will be described in more detail.
The application provides a quantum security protocol implementation method based on an SSL protocol, which comprises a handshake protocol and a recording layer protocol, and specifically comprises the following steps:
handshake protocol: the connection between the client and the server is established, then the client authenticates the server, then the server authenticates the client, and finally the handshake protocol is completed.
Referring to fig. 1, the handshake protocol steps include:
step A1: the method comprises the steps that a Client sends a Client Hello message to a Server and the Server returns a Server Hello message, the Client firstly initiates and informs the Server of supportable encryption algorithm combinations, compression algorithm combinations (namely an encryption suite list) and session IDs, and the Server selects the encryption algorithm and the compression algorithm from the encryption suite list transmitted by the Client and returns the encryption algorithm and the compression algorithm together with the session IDs.
Step A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client.
Step A3: if the server requires the client certificate, executing the stage, firstly verifying whether the server provides legal certificates or not by the client, and if the conditions are met, sending a client certificate message and a certificate authentication message to the server.
Step A4: and the last stage completes the handshake protocol, the client sends completion information, uses quantum key calculation, comprises the used encryption algorithm, compression algorithm and MAC value of quantum key frame header information, encrypts the MAC value and the data information by using the negotiated encryption algorithm, transmits the encrypted MAC value and the data information to the server, calculates the MAC value after the decryption of the server is completed, returns completion information if the MAC values are the same, and immediately terminates the session if the MAC values are different.
The MAC algorithm is MtE (MAC-then-Encrypt): firstly, calculating an MAC value according to a plaintext and a quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext by using the quantum key to obtain a final ciphertext.
Referring to fig. 2, the recording layer protocol segments user layer data into data segments, then compresses the data segments by using a compression algorithm defined in the handshake protocol, calculates a quantum key to be used and a MAC (message authentication code) of a compression unit, encrypts the whole unit, and finally adds recording information in the encryption unit, transmits the data to a client, and decrypts the encrypted information after the client receives the encrypted information.
The recording layer protocol includes: application layer data, a recording protocol unit, a compression unit, an encryption unit and a TCP data packet;
the application layer data refers to original information from an application program, and is actual data, namely plaintext data, which needs to be encrypted, transmitted and protected in a protocol.
The recording protocol unit is a basic data unit in the protocol, and consists of a Type (Type), a Version (Version), a Length (Length) and a Content (Content), and the sender encapsulates the application layer data into the recording protocol unit and encrypts the data by using an encryption algorithm negotiated in the handshake protocol. After receiving the recording protocol unit, the receiver decrypts and processes according to the type of the recording and the encryption algorithm to obtain the original application layer data.
The compression unit refers to a data unit compressed by application layer data in the recording layer protocol. In the recording layer, application layer data may be compressed using a compression algorithm negotiated in a handshake protocol to reduce the amount of data transferred.
The encryption unit refers to a data unit obtained by encrypting the compression unit and the MAC value. In the recording layer, the compression unit and the MAC value are encrypted using an encryption algorithm negotiated in a handshake protocol to ensure confidentiality and security of data during transmission.
A TCP packet is a basic transmission unit carrying recording layer data, and includes an encryption unit, higher layer protocol information, a protocol version, and compressed length information, and is responsible for transmitting recording layer data from one endpoint to another endpoint in a network.
The specific implementation flow is as follows:
step B1: the method comprises the steps of cutting plaintext data into record protocol units, wherein the length of the cut unit is 16K bytes, and the plaintext data can be a query request or plaintext information returned by a data center. 16K is a default setting in the classical SSL protocol, which may be adjusted according to the specific implementation and configuration.
Step B2: the data segments are compressed by a compression algorithm defined in the handshake protocol, and if no compression algorithm is selected, the data segments are not compressed by default. In order to balance data transmission efficiency and security and reduce potential security holes, the length of the compressed compression unit is not more than 1024 bytes.
Step B3: the method comprises the steps of extracting a corresponding quantum key by using quantum key frame header information negotiated by a right handshake protocol, calculating MAC (message authentication code) values of the quantum key and a compression unit, and encrypting the MAC values and the compression unit to form an encryption unit by using the quantum key, wherein MAC is a function MAC=C (K, M) of the message and the key, M is input information, K is a shared key, C is an MAC function, and the MAC is determined in the handshake process.
Step B4: and adding record information including high-level protocol information, protocol version and compressed length information into the encryption unit, and packaging the record information into a TCP data packet.
Step B5: and transmitting the TCP data packet to the client, and decrypting after the client receives the TCP data packet. The decryption process is the inverse of the encryption process.
The embodiment of the application provides a quantum security protocol implementation method and a system based on an SSL protocol, which realize the integration of a quantum key distribution technology and a network security protocol, prevent traffic data from being divulged and test data from being tampered, and strengthen the security of information transmission.
Those skilled in the art will appreciate that the application provides a system and its individual devices, modules, units, etc. that can be implemented entirely by logic programming of method steps, in addition to being implemented as pure computer readable program code, in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Therefore, the system and various devices, modules and units thereof provided by the application can be regarded as a hardware component, and the devices, modules and units for realizing various functions included in the system can also be regarded as structures in the hardware component; means, modules, and units for implementing the various functions may also be considered as either software modules for implementing the methods or structures within hardware components.
The foregoing describes specific embodiments of the present application. It is to be understood that the application is not limited to the particular embodiments described above, and that various changes or modifications may be made by those skilled in the art within the scope of the appended claims without affecting the spirit of the application. The embodiments of the application and the features of the embodiments may be combined with each other arbitrarily without conflict.
Claims (10)
1. The quantum security protocol implementation method based on the SSL protocol is characterized by comprising the following steps of:
step A: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol;
and (B) step (B): dividing the inquiring request or the plaintext data returned by the data center into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by a client;
when SSL connection is established, the handshake protocol is firstly carried out, and the safety of both communication parties is ensured through relevant steps including identity verification and algorithm negotiation; successful completion of the handshake protocol will result in the generation of quantum key frame headers and other security parameters that will be used for data encryption and integrity protection of the record layer protocol, which, once handshake is successful, will encrypt and protect the transmission of upper layer application data using quantum keys and algorithms negotiated during the handshake phase.
2. The quantum security protocol implementation method based on SSL protocol according to claim 1, wherein the step a includes:
step A1: the Client sends Client Hello message and Server return Server Hello message to the Server; the method comprises the steps that a client initiates and informs a server of supportable encryption algorithm combinations, an encryption suite list and a session ID, and the server selects an encryption algorithm and a compression algorithm from the encryption suite list transmitted by the client and returns the encryption algorithm and the compression algorithm together with the session ID;
step A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client;
step A3: if the server requires the client certificate, executing the stage, wherein the client firstly verifies whether the server provides a legal certificate, and if the server meets the condition, sending a client certificate message and a certificate authentication message to the server;
step A4: and finishing a handshake protocol, sending finishing information by the client, calculating the MAC value of plaintext data by using a quantum key, encrypting the MAC value and the Finished character segment by using a negotiated encryption algorithm, transmitting the encrypted value and the Finished character segment to the server, calculating the MAC value after the server decrypts and finishes identifying the Finished character segment, returning finishing information if the MAC values are the same, and immediately terminating the session if the MAC values are different.
3. The quantum security protocol implementation method based on SSL protocol according to claim 2, wherein the MAC algorithm is: and calculating an MAC value according to the plaintext data and the quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext data by using the quantum key to obtain a final ciphertext.
4. The quantum security protocol implementation method based on SSL protocol according to claim 2, wherein the step B includes:
step B1: cutting the plaintext data into data segments;
step B2: c, compressing the data segment by the compression algorithm selected in the step A, wherein the compressed data segment is called a compression unit, and if the compression algorithm is not selected, the data segment is not compressed by default;
step B3: extracting a corresponding quantum key by utilizing quantum key frame header information negotiated by a handshake protocol, calculating MAC values of the quantum key and a compression unit, and encrypting the compression unit and the MAC values by using the quantum key, wherein the encrypted compression unit and the MAC values are called as an encryption unit;
step B4: adding record information in an encryption unit, wherein the record information comprises high-layer protocol information, protocol version and compressed length information;
step B5: and transmitting the data to the client, and decrypting after the client receives the encrypted information.
5. The method of claim 4, wherein the length of the sliced data block is 16 kbytes.
6. The method of claim 4, wherein the compressed compression unit length is no more than 1024 bytes.
7. A quantum security protocol implementation system based on SSL protocol, comprising:
module a: establishing connection between the client and the server through a handshake protocol, authenticating the server by the client, and then authenticating the client by the server to complete the handshake protocol;
module B: dividing the inquiring request or the plaintext data returned by the data center into data segments through a recording layer protocol, compressing the data segments, encrypting the compressed data segments, adding recording information, and decrypting after receiving the encryption information by a client;
when SSL connection is established, the handshake protocol is firstly carried out, and the safety of both communication parties is ensured through relevant steps including identity verification and algorithm negotiation; successful completion of the handshake protocol will result in the generation of quantum key frame headers and other security parameters that will be used for data encryption and integrity protection of the record layer protocol, which, once handshake is successful, will encrypt and protect the transmission of upper layer application data using quantum keys and algorithms negotiated during the handshake phase.
8. The SSL protocol-based quantum security protocol implementation system according to claim 7, wherein the module a comprises:
module A1: the Client sends Client Hello message and Server return Server Hello message to the Server; the method comprises the steps that a client initiates and informs a server of supportable encryption algorithm combinations, an encryption suite list and a session ID, and the server selects an encryption algorithm and a compression algorithm from the encryption suite list transmitted by the client and returns the encryption algorithm and the compression algorithm together with the session ID;
module A2: the server sends a certificate message, a client certificate request message and a certificate request completion message to the client;
module A3: if the server requires the client certificate, executing the stage, wherein the client firstly verifies whether the server provides a legal certificate, and if the server meets the condition, sending a client certificate message and a certificate authentication message to the server;
module A4: completing a handshake protocol, sending completion information by a client, calculating an MAC value of plaintext data by using a quantum key, encrypting the MAC value and a Finished character segment by using a negotiated encryption algorithm, transmitting the encrypted value and the Finished character segment to a server, calculating the MAC value after the server decrypts and completes the identification of the Finished character segment, returning completion information if the MAC values are the same, and immediately terminating the session if the MAC values are different;
the MAC algorithm is: calculating an MAC value according to the plaintext data and the quantum key, and then symmetrically encrypting the calculated MAC value and the plaintext data by using the quantum key to obtain a final ciphertext;
the module B includes:
module B1: cutting plaintext data into data segments, wherein the length of the cut data blocks is 16K bytes;
module B2: the data segment is compressed through the compression algorithm selected in the module A, the compressed data segment is called a compression unit, and if the compression algorithm is not selected, the compression is not performed by default; the length of the compressed compression unit is not more than 1024 bytes;
module B3: extracting a corresponding quantum key by utilizing quantum key frame header information negotiated by a handshake protocol, calculating MAC values of the quantum key and a compression unit, and encrypting the compression unit and the MAC values by using the quantum key, wherein the encrypted compression unit and the MAC values are called as an encryption unit;
module B4: adding record information in an encryption unit, wherein the record information comprises high-layer protocol information, protocol version and compressed length information;
module B5: and transmitting the data to the client, and decrypting after the client receives the encrypted information.
9. A computer-readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the SSL protocol-based quantum security protocol implementation method according to any of claims 1 to 6.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the computer program when executed by the processor implements the steps of the quantum security protocol implementation method based on SSL protocol according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310897927.9A CN116743372A (en) | 2023-07-20 | 2023-07-20 | Quantum security protocol implementation method and system based on SSL protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310897927.9A CN116743372A (en) | 2023-07-20 | 2023-07-20 | Quantum security protocol implementation method and system based on SSL protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116743372A true CN116743372A (en) | 2023-09-12 |
Family
ID=87915250
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310897927.9A Pending CN116743372A (en) | 2023-07-20 | 2023-07-20 | Quantum security protocol implementation method and system based on SSL protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116743372A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117081840A (en) * | 2023-09-19 | 2023-11-17 | 中科驭数(北京)科技有限公司 | Secure socket layer communication method, device, special data processor and medium |
-
2023
- 2023-07-20 CN CN202310897927.9A patent/CN116743372A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117081840A (en) * | 2023-09-19 | 2023-11-17 | 中科驭数(北京)科技有限公司 | Secure socket layer communication method, device, special data processor and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
| US7688975B2 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| EP3476078B1 (en) | Systems and methods for authenticating communications using a single message exchange and symmetric key | |
| JP2002319936A (en) | Apparatus and method for communication for making data safe | |
| CN107800675A (en) | A kind of data transmission method, terminal and server | |
| CN112637136A (en) | Encrypted communication method and system | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| CN113079022B (en) | Secure transmission method and system based on SM2 key negotiation mechanism | |
| TW201537937A (en) | Unified identity authentication platform and authentication method thereof | |
| CN109547413B (en) | Access control method of convertible data cloud storage with data source authentication | |
| CN114143117A (en) | Data processing method and device | |
| CN114024698A (en) | Power distribution Internet of things service safety interaction method and system based on state cryptographic algorithm | |
| CN110839240A (en) | Method and device for establishing connection | |
| CN116743372A (en) | Quantum security protocol implementation method and system based on SSL protocol | |
| CN101997835A (en) | Network security communication method, data security processing device and system for finance | |
| CN111327591A (en) | Data transmission method, system and storage medium based on block chain | |
| US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
| CN113329371B (en) | 5G Internet of vehicles V2V anonymous authentication and key agreement method based on PUF | |
| CN110611679A (en) | Data transmission method, device, equipment and system | |
| KR100456624B1 (en) | Authentication and key agreement scheme for mobile network | |
| JP4255046B2 (en) | Cryptographic communication path establishment method, program and program medium, and cryptographic communication system | |
| US20230188330A1 (en) | System and method for identity-based key agreement for secure communication | |
| CN112367329B (en) | Communication connection authentication method, device, computer equipment and storage medium | |
| CN114650173A (en) | Encryption communication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |