CN116886288A - Quantum session key distribution method and device - Google Patents

Quantum session key distribution method and device Download PDF

Info

Publication number
CN116886288A
CN116886288A CN202310898481.1A CN202310898481A CN116886288A CN 116886288 A CN116886288 A CN 116886288A CN 202310898481 A CN202310898481 A CN 202310898481A CN 116886288 A CN116886288 A CN 116886288A
Authority
CN
China
Prior art keywords
quantum
session key
protocol
key
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310898481.1A
Other languages
Chinese (zh)
Inventor
陈洁容
詹俊锐
高锐嘉
游耀祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quantumctek Guangdong Co ltd
Original Assignee
Quantumctek Guangdong Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quantumctek Guangdong Co ltd filed Critical Quantumctek Guangdong Co ltd
Priority to CN202310898481.1A priority Critical patent/CN116886288A/en
Publication of CN116886288A publication Critical patent/CN116886288A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The application discloses a quantum session key distribution method and a device, comprising the following steps: carrying out quantum session key distribution on communication application equipment based on a preset quantum security protocol, wherein if a trusted third party is not involved among the communication application equipment, authenticating the application equipment based on a quantum security handshake protocol in the preset quantum security protocol, determining an encryption suite and a session key rule to be used, and carrying out quantum session key distribution on the application equipment based on the encryption suite and the session key rule; if a trusted third party is arranged between the application devices for communication, a secure communication channel is established between the application devices and the trusted third party based on a quantum security handshake protocol, quantum session key distribution is executed on the secure communication channel, and the application devices are enabled to communicate based on the quantum session key. The application solves the problems of potential security threat and lower communication security of the traditional key distribution.

Description

Quantum session key distribution method and device
The application is applied for 28 days of 2019, 03 months and has the application number of: 2019102433950, the application name is: a quantum session key distribution method, device and division application of communication architecture.
Technical Field
The present invention relates to the field of quantum communication technologies, and in particular, to a method and an apparatus for distributing a quantum session key, and a communication architecture.
Background
With the networking of the service flow, users are increasingly concerned about the transmission security of data of the service and the security of communication storage. Currently, in the traditional computer field, there are two typical methods for authentication of information and session key distribution: one is based on SSL (Secure Sockets Layer ) protocol and the other is based on Kerberos (network authentication protocol) implementation.
The SSL protocol is located between the network layer and the application layer of the TCP/IP protocol model, and uses TCP to provide a reliable end-to-end security service that keeps communications between client/server applications from being eavesdropped by attacks, and always authenticates the server, and optionally the client. The SSL protocol completes the encryption algorithm, negotiation of the working key, and server authentication before application layer communication, after which the data transmitted by the application layer protocol is encrypted. Kerberos provides a centralized authentication server architecture that uses symmetric key encryption techniques to achieve mutual authentication of a user with the server that he accesses. The key distribution center of Kerberos has a database holding all clients and their key information, in which the clients first register identity information and secret keys.
However, key distribution based on both protocols has certain drawbacks. Session key negotiation security of the SSL protocol relies primarily on the cryptographic protection of premaster keys using public key infrastructure such as RSA, ECC, and IBC. The public key system safety depends on the complexity of calculation, so that unconditional safety is not realized in theory, and the probability of being cracked is increased due to the continuous improvement of the computing capability of a computer and the occurrence of a quantum computer, so that the public key system safety has a great potential safety hazard. The session key distribution process of the Kerberos protocol adopts a symmetric key encryption technology, and the main defects are that: the security of the session key distribution process depends on the security of two shared keys of the client C and the authentication server AS and the application server S and the ticket license server TGS, and cannot prevent the attack of password cracking programs; the shared key is usually stored in a file format in a client or a server, and an effective key security protection mechanism is lacked; the shared secret key is lack of a safe and convenient updating mode, once the shared secret key is cracked, the problem needs to be solved by human participation, and the timeliness is low. Therefore, the key distribution implemented in the SSL protocol and the Kerberos protocol has a plurality of potential safety hazards, and cannot provide effective guarantee for the communication security of the mobile application service.
Disclosure of Invention
Aiming at the problems, the invention provides a quantum session key distribution method, a quantum session key distribution device and a communication architecture, which solve the problems of potential security threat and lower communication security caused by cracking of traditional key distribution.
In order to achieve the above object, the present invention provides the following technical solutions:
a quantum session key distribution method, comprising:
the quantum session key distribution is performed on the application equipment which performs communication based on a preset quantum security protocol, wherein,
if a trusted third party is not involved between the application devices for communication, authenticating the application devices based on a quantum security handshake protocol in the preset quantum security protocol, negotiating an encryption suite and a session key rule used in the communication process of the application devices, and carrying out quantum session key distribution on the application devices based on the encryption suite and the session key rule to realize the communication of the application devices based on the quantum session key;
if a trusted third party is arranged between the application devices for communication, a secure communication channel is established between the application devices and the trusted third party based on the quantum security handshake protocol, quantum session key distribution is executed on the secure communication channel, and the application devices are enabled to communicate based on the quantum session key.
Optionally, the encryption mode of the communication data packets of the preset quantum security protocol is obtained by negotiation and confirmation in the authentication process of the two parties between devices, wherein each communication data packet of the preset quantum security protocol is encrypted and protected by using a key corresponding to a designated identifier in the encryption mode of negotiation and confirmation, each communication data packet is encrypted and protected according to the preset designated key, so that the quantum session key is encrypted and protected by adopting a one-time pad or preset symmetric encryption mode, and the quantum session key is added into the communication data packet in the quantum session key distribution process.
Optionally, the preset quantum security protocol includes:
quantum security handshake protocol, quantum security session key distribution protocol, quantum security key change protocol, quantum security alert protocol, and quantum security recording protocol, wherein,
the quantum security handshake protocol characterizes a negotiation protocol of a bidirectional authentication and encryption communication mechanism between devices with shared symmetric keys in a system;
the trusted third party in the quantum security session key distribution protocol characterization system provides identity authentication and session key distribution for both communication parties of an application layer, and the protocols of the both communication parties for encrypted communication based on the acquired session key;
The quantum security key change protocol characterizes a protocol for notifying an application device that the protocol is changed;
the quantum security warning protocol characterizes a protocol that transmits warning information defined according to characteristics of a symmetric key to an application device;
the quantum security recording protocol characterizes a protocol for blocking and encrypting upper protocol data and transmitting the processed recording blocks to a receiving end.
Optionally, the method is applied to a quantum session key communication architecture of a quantum key application device and a quantum key user client, the communication architecture includes a quantum key application device, a quantum key user client, a quantum security service device, and a quantum key distribution service device, where the quantum key application device is in communication connection with the quantum key user client, and the quantum key user client is connected with the quantum security service device, the quantum key application device is connected with the quantum key distribution service device, and the quantum key distribution service device is connected with the quantum security service device, and the method includes:
transmitting a first session key application of the quantum key user client to the quantum security service device;
Sending a first session key application response returned by the quantum security service equipment to the quantum key user client;
forwarding a session key ticket corresponding to the first session key application response obtained by the quantum key user client to the quantum key application device;
transmitting a second session key request of the quantum key application device to the quantum key distribution service device, and transmitting the second session key request to the quantum security service device based on the quantum key distribution service device;
transmitting a second session key request response generated by the quantum security service device based on the second session key request to the quantum key application device through the quantum key distribution service device;
and sending a session key bill response generated by the quantum key application device based on the second session key request response to the quantum key user client to realize session key distribution of the quantum key application device and the quantum key user client.
Optionally, the method is applied to a quantum session key communication architecture of the first quantum key user client and the second quantum key user client, the communication architecture comprising: the quantum key system comprises a first quantum key user client, a second quantum key user client and quantum security service equipment, wherein the first quantum key user client is in communication connection with the quantum security service equipment, and the second quantum key user client is in communication connection with the quantum security service equipment, and the method comprises the following steps:
Transmitting a first session key application of the first quantum key user client to the quantum security service equipment, and transmitting a first session key application response generated by the quantum security service equipment to the first quantum key user client;
forwarding a session key ticket generated by the first quantum key user client based on the first session key application response to the second quantum key user client;
when the second quantum key user client receives the session key bill, a second session key request of the second quantum key user client is sent to the quantum security service equipment, and a second session key request response generated by the quantum security service equipment based on the second session key request is sent to the second quantum key user client;
and transmitting a session key bill response generated by the second quantum key user client based on the second session key request response to the first quantum key user client to realize session key distribution of the first quantum key user client and the second quantum key user client.
Optionally, the method is applied to a quantum session key communication architecture of the first quantum key application device and the second quantum key application device, the communication architecture comprising: the method comprises the steps of connecting a first quantum key application device, a second quantum key application device, a first quantum key distribution service device, a second quantum key distribution service device and a quantum security service device, wherein the first quantum key application device is connected with the first quantum key distribution service device, the first quantum key distribution service device is connected with the quantum security service device, the second quantum key application device is connected with the second quantum key distribution service device, and the second quantum key distribution service device is connected with the quantum security service device, and the method comprises the following steps:
transmitting a first session key application of the first quantum key application device to the first quantum key distribution service device, and forwarding the first session key application to the quantum security service device through the first quantum key distribution service device;
transmitting a first session key application response generated by the quantum security service device to the first quantum key application device through the first quantum key distribution service device;
Forwarding a session key ticket generated by the first quantum key application device based on the first session key application response to the second quantum key application device;
transmitting a second session key application of the second quantum key application device to the second quantum key distribution service device, and forwarding the second session key application to the quantum security service device through the second quantum key distribution service device;
transmitting a second session key application response generated by the quantum security service device to the second quantum key application device through the second quantum key distribution service device;
and forwarding a session key bill response generated by the second quantum key application device based on the second session key application response to the first quantum key application device to realize session key distribution of the first quantum key application device and the second quantum key application device.
Optionally, the method further comprises:
when the first quantum key application device receives the session key bill response, a response bill verification request generated by the first quantum key application device is sent to the first quantum key distribution service device, and the response bill verification request response generated by the first quantum key distribution service device is returned to the first quantum key application device, so that verification of the session key bill response is realized.
Optionally, the first session key application includes key identification information used for communication data packet encryption and an application session key amount.
Optionally, the session key ticket includes a validity time of the session key ticket, a session key amount, and device identification information.
Optionally, the session key ticket response includes the applied session key quantity and the applied result.
A quantum session key distribution device, the device being specifically adapted to:
the quantum session key distribution is carried out on the application equipment for communication based on a preset quantum security protocol, and the method comprises the following steps:
the first distribution unit is used for authenticating the application equipment based on a quantum security handshake protocol in the preset quantum security protocol if a trusted third party is not involved between the application equipment for communication, negotiating an encryption suite and a session key rule used in the communication process of the application equipment, and carrying out quantum session key distribution on the application equipment based on the encryption suite and the session key rule to realize the communication of the application equipment based on the quantum session key;
and the second distributing unit is used for establishing a secure communication channel between the application equipment and the trusted third party based on the quantum security handshake protocol if the trusted third party is arranged between the application equipment for communication, and executing quantum session key distribution on the secure communication channel so as to realize the communication of the application equipment based on the quantum session key.
A communication architecture that is a quantum session key communication architecture of a quantum key application device and a quantum key user client, the communication architecture comprising a quantum key application device, a quantum key user client, a quantum security service device, a quantum key distribution service device, wherein,
the quantum key user client is used for sending a first session key application to the quantum security service equipment and forwarding a session key bill corresponding to the first session key application to the quantum key application equipment;
the quantum security service device includes: a first receiving unit, a first transmitting unit, a second receiving unit and a second transmitting unit, wherein,
the first receiving unit is used for receiving a first session key application;
the first sending unit is configured to generate a first session key application response according to the first session key application, and send the first session key application response to the quantum key user client;
the second receiving unit is configured to receive a second session key request sent by the quantum key distribution service device, where the second session key request is a session key application request sent by the quantum key application device;
The second sending unit is configured to generate a second session key request response based on the second session key request, and send the second session key request response to the quantum key distribution service device;
the quantum key distribution service device comprises a third receiving unit, a third transmitting unit, a fourth receiving unit and a fourth transmitting unit, wherein,
the third receiving unit is configured to receive a second session key request sent by the quantum key application device;
the third sending unit is configured to send the second session key request to the quantum security service device;
the fourth receiving unit is configured to receive a second session key request response sent by the quantum security service device;
the fourth sending unit is configured to send the second session key request response to the quantum key application device;
the quantum key application device is configured to send a second session key request to the quantum key distribution service device, generate a session key ticket response according to a second session key request response sent by the quantum key distribution service device, and send the session key ticket response to the quantum key user client to implement session key distribution for the quantum key application device and the quantum key user client.
A communication architecture that is a quantum session key communication architecture of a first quantum key user client and a second quantum key user client, the communication architecture comprising: a first quantum key user client, a second quantum key user client, and a quantum security service device, wherein,
the first quantum key user client is used for sending a first session key application to the quantum security service equipment and forwarding a session key bill corresponding to the first session key application to the second quantum key user client;
the second quantum key user client is used for sending a second session key request to the quantum security service equipment, generating a session key bill response based on a second session key request response returned by the quantum security service equipment, and sending the session key bill response to the first quantum key user client;
the quantum security service device includes: a fifth receiving unit, a fifth transmitting unit, a sixth receiving unit, and a sixth transmitting unit, wherein,
the fifth receiving unit is configured to receive a first session key application sent by the first quantum key user client;
The fifth sending unit is configured to generate a first session key application response according to the first session key application, and send the first session key application response to the first quantum key user client;
the sixth receiving unit is configured to receive a second session key request sent by the second quantum key user client;
and the sixth sending unit is used for generating a second session key request response according to the second session key request and sending the second session key request response to the second quantum key user client.
A communication architecture that is a quantum session key communication architecture of a first quantum key application device and a second quantum key application device, the communication architecture comprising: the device comprises a first quantum key application device, a second quantum key application device, a first quantum key distribution service device, a second quantum key distribution service device and a quantum security service device;
the first quantum key application device is configured to send a first session key application to the first quantum key distribution service device, and forward a session key ticket corresponding to the first session key application to the second quantum key application device;
The second quantum key application device is configured to send a second session key application to the second quantum key distribution service device, and send a session key ticket response corresponding to a second session key application response returned by the second quantum key distribution service device to the first quantum key application device;
the first quantum key distribution service device is configured to send the first session key application to the quantum security service device, and send a first session key application response returned by the quantum security service device to the first quantum key application device;
the second quantum key distribution service device is configured to send the second session key application to the quantum security service device, and send a second session key application response returned by the quantum security service device to the second quantum key application device;
the quantum security service device includes: a seventh receiving unit, a seventh transmitting unit, an eighth receiving unit, and an eighth transmitting unit, wherein,
the seventh receiving unit is configured to receive a first session key application sent by the first quantum key distribution service device;
The seventh sending unit is configured to generate the first session key application response based on the first session key application, and send the first session key application response to the first quantum key distribution service device;
the eighth receiving unit is configured to receive a second session key application sent by the second quantum key distribution service device;
the eighth sending unit is configured to generate the second session key application response based on the second session key application, and send the second session key application response to the second quantum key distribution service device.
Optionally, the first quantum key distribution service device further includes:
and the verification unit is used for receiving a response bill verification request generated by the first quantum key application equipment when the first quantum key application equipment receives the session key bill response, and returning the generated response bill verification request response to the first quantum key application equipment to realize the verification of the session key bill response.
Compared with the prior art, the invention provides a quantum session key distribution method, a quantum session key distribution device and a communication architecture, wherein the quantum session key distribution is realized for the application equipment which communicates through a preset quantum security protocol, and whether a trusted third party is involved between the application equipment is combined to authenticate the application equipment and carry out quantum session key distribution, so that the application range of the protocol is wide, and the compatibility is strong; the mechanism for carrying out identity authentication, quantum session key distribution and encrypted communication on both communication parties based on the preset quantum security protocol enables the quantum session key to be encrypted and protected by adopting a one-time pad or preset symmetric encryption algorithm and to be added into a communication data packet in the quantum session key distribution process, so that the security of session key distribution is improved, and the potential security threat that a session key distribution method based on a public key system and a single preset shared key is cracked is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a quantum session key distribution method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an architecture that does not involve a third party, according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an architecture with trusted third parties according to an embodiment of the present invention;
fig. 4 is a format diagram of a QSL protocol packet according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a QSL datagram format according to an embodiment of the invention;
fig. 6 is a sequence diagram of a QSL handshake protocol according to an embodiment of the present invention;
fig. 7 is a diagram of a communication architecture between QKUC and QKUD according to an embodiment of the present invention;
fig. 8 is a flowchart of QKUC and QKUD session key distribution provided in an embodiment of the present invention;
fig. 9 is a diagram of a communication architecture between QKUC and QKUC according to an embodiment of the present invention;
Fig. 10 is a flowchart of QKUC and QKUC session key distribution provided in an embodiment of the present invention;
FIG. 11 is a diagram of a communication architecture between QKUDs according to an embodiment of the present invention;
FIG. 12 is a flowchart for distributing QKUD-QKUD session keys according to an embodiment of the present invention;
fig. 13 is a schematic structural diagram of a quantum session key distribution device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first and second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to the listed steps or elements but may include steps or elements not expressly listed.
In an embodiment of the present invention, a quantum session key distribution method is provided, referring to fig. 1, including:
s10, carrying out quantum session key distribution on communication application equipment based on a preset quantum security protocol;
in combination with a scheme of whether a trusted third party is involved in the application device, the steps specifically include:
s101, if a trusted third party is not involved between the application devices for communication, authenticating the application devices based on a quantum security handshake protocol in the preset quantum security protocol, negotiating an encryption suite and a session key rule used in the communication process of the application devices, and carrying out quantum session key distribution on the application devices based on the encryption suite and the session key rule to realize the communication of the application devices based on the quantum session key;
s102, if a trusted third party is arranged between the application devices for communication, a secure communication channel is established between the application devices and the trusted third party based on the quantum security handshake protocol, quantum session key distribution is executed on the secure communication channel, and the application devices are enabled to communicate based on the quantum session key.
The preset quantum security (Quantum Secure Layer, QSL) protocol in an embodiment of the present invention is divided into two layers: the upper layers are a quantum security handshake protocol (QSL handshake protocol ), a quantum security session key distribution protocol (QSL session key distribution protocol ), a quantum security key change protocol (QSL change cipher spec protocol, QSL key change protocol) and a quantum security warning protocol (QSL alert protocol, QSL warning protocol); the bottom layer is a quantum security recording protocol (QSL record protocol, QSL recording protocol).
The encryption mode of the communication data packets of the preset quantum security protocol is obtained by negotiation and confirmation in the authentication process of the quantum key application device and the quantum key distribution service device, the quantum key user client and the quantum security service device, and the quantum security service device and the quantum key distribution service device, wherein each communication data packet of the preset quantum security protocol is encrypted and protected by using a key corresponding to a designated identifier in a negotiation and confirmation encryption mode, each communication data packet is encrypted and protected according to a preset designated key, the quantum session key is encrypted and protected by adopting a one-time pad or preset symmetric encryption mode, and the quantum session key is added into the communication data packet in the quantum session key distribution process.
It should be noted that, each communication data packet performs encryption protection according to a preset designated key, that is, the key used by each communication data packet may be designated, and possibly, multiple data packets designate the same key for encryption protection, and the highest security is that each communication data packet uses different keys for encryption protection.
Each sub-protocol in the preset quantum security protocol is explained below, specifically:
QSL handshake protocol: is an authentication negotiation process when two parties that do not involve a third party in the system communicate with each other. The validity of the identities of the two parties is authenticated by using a shared symmetric key (a quantum key or a preset random number key), the use rules of an encryption suite (an encryption algorithm and a MAC algorithm) and a session key (a quantum key, a key generated in a handshake process and the like) used in the communication process are negotiated, and an encrypted QSL connection is established. The QSL handshake protocol is a protocol for two-way authentication and encryption communication mechanisms between devices in a system that have shared symmetric keys.
QSL session key distribution protocol: the trusted third party in the system provides identity authentication and session key distribution for both communication parties of the application layer, and both communication parties of the application layer carry out encrypted communication based on the acquired session key.
QSL key change protocol: the client and the server notify the opposite end through the key change protocol, and the subsequent messages are protected and transmitted by using the newly negotiated encryption suite and the session key.
QSL warning protocol: for reporting alarm information to the communication partner, the message including the severity level and description of the alarm (the alarm information formulated based on the characteristics of the symmetric key).
QSL recording protocol: the method mainly is responsible for partitioning upper-layer data (QSL handshake protocol, QSL session key distribution protocol, QSL key change protocol, QSL warning protocol and application layer protocol messages), calculating and adding MAC values, encrypting and transmitting the processed record blocks to the opposite end. The QSL recording protocol contains the identification information of the key use rule, so that the advantages of quantum key quantity and time effectiveness can be fully exerted, and the security level of one-time one-key (one communication data packet is encrypted and protected by one key) or even one-time one-key can be achieved in the communication process.
As can be seen from the above definition, the QSL protocol architecture actually includes communication protocols in two situations of "no third party involved" and "trusted third party", and can be split into two sub-architectures of "no third party involved" and "trusted third party", and the corresponding sub-architecture is shown in fig. 2 and 3, respectively.
The architecture of "no third party involved" is used in the case where both parties have a shared symmetric key (quantum key or preset random number key), which is used by the supporting communication process inside the quantum security services Mobile Engine (Quantum Secure Service-Mobile Engine, QSS-ME).
The architecture of the trusted third party is used under the condition that the communication parties respectively have shared symmetric keys (quantum keys or preset random number keys) with the trusted third party, and the QSS-ME is used as an application service communication process of the trusted third party.
The format of the QSL protocol packet is shown in fig. 4, where the format of the QSL datagram is shown in fig. 5, and the datagram format is specifically:
protocol type (8 bits): the QSL recording protocol encapsulates the higher layer protocols used by the segments.
Major version number (8 bits): indicating the major version number used by the QSL.
From version number (8 bits): indicating the slave version number used by the QSL.
Data length (16 bits): byte length of the data segment.
Data: and the transmitted data information.
The QSL handshake protocol is an authentication negotiation procedure in a system where communication between two parties that do not involve a third party is achieved using a shared symmetric key to achieve the following goals:
Two-way identity authentication of both sides with shared secret key; negotiating an encryption algorithm and a MAC algorithm used by subsequent communication of both parties; the usage rules of session keys (quantum keys, keys generated in the handshake process, etc.) used by the two parties for the next communication are confirmed.
Referring to fig. 6, a sequence diagram of a QSL handshake protocol according to an embodiment of the present invention includes:
(1) The client sends information of 'request authentication' (plaintext, including algorithm suite list) to a vector sub-security service device (QSC);
(2) The QSC replies information of 'request authentication response' (ciphertext, algorithm suite, verification random number and key index information for decrypting the information) to the client;
(3) The client decrypts the request authentication response information by using the key, and sends a request verification (ciphertext encrypted by using the key specified by the QSC and containing a verification random number) information to the QSC;
(4) The QSC validates the request validation information, and after passing, sends request validation response information to the client, and designates the subsequent key use rules.
To facilitate the description of the QSL session key distribution process, some notations used in the protocol description process are defined below:
LT: lifetime (Lifetime) of the ticket;
KS, key Size, number of keys applied or replied;
SID: session ID, session ID;
MAC: transmitting a summary code of the data;
AS: algorithm Suite;
key ID, key index;
OID: object ID, ID of subsystem, device, module in QSS-ME;
OID x : an ID of the x object;
Ticket x : x ticket;
K x,y : session keys of x and y;
QK x,y : x and y;
QK x,y [k]: a shared quantum key corresponding to the index value k between x and y;
QSK: the QSS-ME uses the quantum key as a session key distributed by the application service;
QSK x,y : a quantum session key of x and y;
QSKI x,y quantum session key data information transferred between x and y (not session key information between x and y);
en (Data, key) represents encrypted Data information after Data is encrypted by using the Key Key, wherein the encryption operation comprises a one-time pad encryption algorithm;
A||B represents a join operation of data A and data B.
The embodiment of the invention also provides an example of a quantum session key communication architecture for applying the quantum session key distribution method to quantum key application equipment and a quantum key user client, wherein the quantum key application equipment characterizes application equipment for obtaining a quantum session key through the communication architecture to communicate; the quantum key user client characterizes application software which is communicated by obtaining a quantum session key through the communication architecture.
Referring to fig. 7, the communication architecture includes: the quantum key system comprises quantum key application equipment (QKUD), quantum Key User Client (QKUC), quantum security service equipment (QSC) and quantum key distribution service equipment (QKDS), wherein the quantum key application equipment is in communication connection with the quantum key user client, the quantum key user client is connected with the quantum security service equipment, the quantum key application equipment is connected with the quantum key distribution service equipment, and the quantum key distribution service equipment is connected with the quantum security service equipment.
Still referring to fig. 7, a Quantum Key Storage Device (QKSD) is further included as an optional architecture in the embodiment of the present invention, where the quantum Key storage device is used to store a quantum Key, and may be specifically formed by an encryption chip, a U-Key, a TF card, a Key manager, and the like.
The QKUC, QKUD, QKDS needs to be authenticated before the session key application is made and within the validity lifetime of the authentication. The flow of the session key distribution of QKUC and QKUD is shown in fig. 8, in which default QKUC, QKUD, QKDS is authenticated, and the method includes:
transmitting a first session key application of the quantum key user client to the quantum security service device;
Sending a first session key application response returned by the quantum security service equipment to the quantum key user client;
forwarding a session key ticket corresponding to the first session key application response obtained by the quantum key user client to the quantum key application device;
transmitting a second session key request of the quantum key application device to a quantum key distribution service device, and transmitting the second session key request to the quantum security service device based on the quantum key distribution service device;
transmitting a second session key request response generated by the quantum security service device based on the second session key request to the quantum key application device through the quantum key distribution service device;
and sending a session key bill response generated by the quantum key application device based on the second session key request response to the quantum key user client to realize session key distribution of the quantum key application device and the quantum key user client.
Correspondingly, the encrypted session key can be imported into a Quantum Key Storage Device (QKSD) in the quantum session key distribution process, so that the quantum session key can be stored conveniently.
For example, the QKUC and QKUD session key distribution flow is as follows:
(1)QKUC→QSSC:
KID 1 ‖En(SID‖OID QKUC ‖OID QKUD ‖KS 1 ‖LT SKT ‖MAC 1 ,QK QKUC,QSSC [KID 1 ]);
(2)QSSC→QKUC:
KID 2 ‖En(SID‖KS 2 ‖QSKI QKUC,QSSC ‖Ticket SKT ‖MAC 2 ,QK QKUC,QSSC [KID 2 ]) Wherein QSKI QKUC,QSSC =KID 3 ‖AS 1 ‖En(QSK QKUC,QKUD ,QK QKUC,QSSC [KID 3 ]);
(3)QKUC→QKUD:Ticket SKT
(4)QKUD→QKDS:En(SID‖OID QKUD ‖Ticket SKT ‖MAC 3 ,K QKUD,QKDS );
(5)QKDS→QSSC:
KID 4 ‖En(SID‖OID QKUD ‖MAC 4 ,QK QKDS,QSSC [KID 4 ]);
(6)QSSC→QKDS:KID 5 ∥En(SID∥KS 2 ∥QSKI QKDS,QSSC ∥Ticket SKRT ∥MAC 5 ,QK QKDS,QSSC [KID 5 ]),
Wherein QSKI QKDS,QSSC =KID 6 ∥AS 2 ∥En(QSK QKUC,QKUD ,QK QKDS,QSSC [KID 6 ]);
(7)QKDS→QKUD:En(SID‖KS 2 ‖QSK QKUC,QKUD ‖Ticket SKRT ‖MAC 5 ,K QKUD,QKDS ),
The QKDS may not output the Quantum Session Key (QSK) in this step QKUC,QKUD ) The quantum session key is stored in the QKDS, and the QKUC uses the applied quantum session key to encrypt and decrypt data through the encryption and decryption protocol of the QKDS;
(8)QKUD→QKUC:Ticket SKRT
in the above example, KID 1 、KID 2 、KID 3 The key identification information used for encrypting the data packet; KS (KS) 1 、KS 2 The amount of the session key applied and the amount of the session key applied are respectively. In a one-time session key distribution flow, the session key quantity distribution with a specified length can be realized; LT (LT) SKT The validity time of the session key bill can protect the timeliness of the session key application; the MAC is a summary code, and corresponds to summary code information in a QSL recording protocol; ticket SKT The session key bill contains session key distribution key information (such as session key quantity and equipment ID applied for distribution) and is transmitted between QKUC and QKUD through an unsafe communication channel to be encrypted; ticket SKRT The QKUD can send the session key response bill to the QKUC, so that the QKUC knows the result of the current session key application. It should be noted that if QKUD and QKUC determine the result of the session key application at the application level by other means (such as determining whether the data on both sides is correct during the service communication process), it is also possible.
An example of applying the method to a quantum session key communication architecture of a first quantum key user client and a second quantum key user client is also provided in an embodiment of the present invention, see fig. 9, the communication architecture comprising: the system comprises se:Sub>A first quantum key user client (QKUC-A), se:Sub>A second quantum key user client (QKUC-B) and quantum security service equipment (QSC), wherein the first quantum key user client is in communication connection with the quantum security service equipment, and the second quantum key user client is in communication connection with the quantum security service equipment. The communication architecture in fig. 9 further includes quantum key storage devices corresponding to the clients, namely QKSD-a and QKSD-B, although the quantum key storage devices may not be in the communication architecture, and embodiments of the present invention are not limited thereto.
The QKUC and QKUC session key distribution flow is shown in fig. 10, wherein both default QKUC-A, QKUC-B have been authenticated, including:
transmitting a first session key application of the first quantum key user client to a quantum security service device, and transmitting a first session key application response generated by the quantum security service device to the first quantum key user client;
Forwarding a session key ticket generated by the first quantum key user client based on the first session key application response to the second quantum key user client;
when the second quantum key user client receives the session key bill, a second session key request of the second quantum key user client is sent to the quantum security service equipment, and a second session key request response generated by the quantum security service equipment based on the second session key request is sent to the second quantum key user client;
and transmitting a session key bill response generated by the second quantum key user client based on the second session key request response to the first quantum key user client to realize session key distribution of the first quantum key user client and the second quantum key user client.
Correspondingly, in the quantum session key distribution process, the first quantum key user client and the second quantum key user client can also respectively guide the encrypted session keys into corresponding quantum key storage devices QKSD-A and QKSD-B, so that the storage of the quantum session keys is facilitated.
For example, the QKUC-QKUC session key distribution flow is as follows:
(1)QKUC-A→QSSC:
KID 1 ∥En(SID∥OID QKUC-A ∥OID QKUC-B ∥KS 1 ∥LT SKT ∥MAC 1 ,QK QKUC-A,QSSC [KID 1 ]);
(2)QSSC→QKUC-A:
KID 2 ∥En(SID∥KS 2 ∥QSKI QKUC-A,QSSC ∥Ticket SKT ∥MAC 2 ,QK QKUC-A,QSSC [KID 2 ]);
wherein QSKI QKUC-A,QSSC =KID 3 ‖AS 1 ‖En(QSK QKUC-A,QKUC-B ,QK QKUC-A,QSSC [KID 3 ]);
(3)QKUC-A→QKUC-B:Ticket SKT
(4)QKUC-B→QSSC:KID 4 ∥En(SID∥OID QKUC-B ∥MAC 3 ,QK QKUC-B,QSSC [KID 4 ];
(5)QSSC→QKUC-B:
KID 5 ∥En(SID∥KS 2 ∥QSKI QKUC-B,QSSC ∥Ticket SKRT ∥MAC 4 ,QK QKUC-B,QSSC [KID 5 ]);
Wherein QSKI QKUC-B,QSSC =KID 6 ∥AS 2 ∥En(QSK QKUC-A,QKUC-B ,QK QKUC-B,QSSC [KID 6 ]);
(6)QKUC-B→QKUC-A:Ticket SKRT
An example of applying the method to a quantum session key communication architecture of a first quantum key application device and a second quantum key application device is also provided in an embodiment of the present invention, see fig. 11, the communication architecture comprising: the system comprises se:Sup>A first quantum key application device (QKUD-A), se:Sup>A second quantum key application device (QKUD-B), se:Sup>A first quantum key distribution service device (QKDS-A), se:Sup>A second quantum key distribution service device (QKDS-B) and se:Sup>A quantum security service device (QSC), wherein the first quantum key application device is connected with the first quantum key distribution service device, the first quantum key distribution service device is connected with the quantum security service device, and the second quantum key application device is connected with the second quantum key distribution service device, and the second quantum key distribution service device is connected with the quantum security service device. Referring to fig. 12, before session key application, QKUD-A, QKUD-B, QKDS-A, QKDS-B needs to all be authenticated, and during the validity lifetime of authentication, the method includes:
transmitting a first session key application of the first quantum key application device to the first quantum key distribution service device, and forwarding the first session key application to the quantum security service device through the first quantum key distribution service device;
Transmitting a first session key application response generated by the quantum security service device to the first quantum key application device through the first quantum key distribution service device;
forwarding a session key ticket generated by the first quantum key application device based on the first session key application response to the second quantum key application device;
transmitting a second session key application of the second quantum key application device to the second quantum key distribution service device, and forwarding the second session key application to the quantum security service device through the second quantum key distribution service device;
transmitting a second session key application response generated by the quantum security service device to the second quantum key application device through the second quantum key distribution service device;
and forwarding a session key bill response generated by the second quantum key application device based on the second session key application response to the first quantum key application device to realize session key distribution of the first quantum key application device and the second quantum key application device.
Further, the method may further include a process of verifying the session key ticket response, specifically: when the first quantum key application device receives the session key bill response, a response bill verification request generated by the first quantum key application device is sent to the first quantum key distribution service device, and the response bill verification request response generated by the first quantum key distribution service device is returned to the first quantum key application device, so that verification of the session key bill response is realized.
For example, the QKUD-to-QKUD session key distribution flow is as follows:
(1)QKUD-A→QKDS-A:
En(SID‖OID QKUD-A ‖OID QKUD-B ‖KS 1 ‖LT SKT ‖MAC 1 ,K QKUD-A,QKDS-A );
(2)QKDS-A→QSSC:
KID 1 ∥En(SID∥OID QKUD-A ∥OID QKUD-B ∥OID QKDS-A ∥KS 1 ∥MAC 2 ,QK QKDS-A,QSSC [KID 1 ]);
(3)QSSC→QKDS-A:KID 2 ∥En(SID∥KS 2 ∥QSKI QKDS-A,QSSC ∥Ticket SKT ∥MAC 3 ,QK QKDS-A,QSSC [KID 2 ]);
wherein QSKI QKDS-A,QSSC =KID 3 ∥AS 1 ∥En(QSK QKUD-A,QKUD-B ,
QK QKDS-A,QSSC [KID 3 ]);
(4)QKDS-A→QKUD-A:
En(SID∥KS 2 ∥QSK QKUD-A,QKUD-B ∥Ticket SKT ∥MAC 4 ,
K QKUD-A,QKDS-A );
The QKDS-A may not output the Quantum Session Key (QSK) in this step QKUD-A,QKUD-B ) The quantum session key is stored in the QKDS-A, and the QKUD-A uses the applied quantum session key to encrypt and decrypt datse:Sup>A through the encryption and decryption protocol of the QKDS-A;
(5)QKUD-A→QKUD-B:Ticket SKT
(6)QKUD-B→QKDS-B:En(SID∥OID QKUD-B ∥Ticket SKT ∥MAC 5 ,K QKUD-B,QKDS-B );
(7)QKDS-B→QSSC:KID 4 ‖En(SID‖OID QKDS-B ‖MAC 6 ,QK QKDS-B,QSSC [KID 4 ]);
(8)QSSC→QKDS-B:KID 5 ∥En(SID∥KS 2 ∥QSKI QKDS-B,QSSC ∥Ticket SKRT ∥MAC 7 ,QK QKDS-B,QSSC [KID 5 ]);
wherein QSKI QKDS-B,QSSC =KID 6 ∥AS 2 ∥En(QSK QKUD-A,QKUD-B ,
QK QKDS-B,QSSC [KID 6 ]);
(9)QKDS-B→QKUD-B:En(SID∥KS 2 ∥QSK QKUD-A,QKUD-B ∥Ticket SKRT ∥MAC 8 ,K QKUD-B,QKDS-B );
The QKDS-B in this step may not output the Quantum Session Key (QSK) QKUD-A,QKUD-B ) The quantum session key is stored in the QKDS-B, and the QKUD-B uses the applied quantum session key to encrypt and decrypt data through an encryption and decryption protocol of the QKDS-B;
(10)QKUD-B→QKUD-A:Ticket SKRT
(11)QKUD-A→QKDS-A:En(SID∥Ticket SKRT ∥MAC 9 ,K QKUD-A,QKDS-A );
(12)QKDS-A→QKUD-A:En(SID∥Result∥MAC 10 ,K QKUD-A,QKDS-A )。
in an embodiment of the present invention, there is further provided a quantum session key distribution apparatus, which is specifically configured to: the quantum session key distribution is performed on the application device for communication based on a preset quantum security protocol, and referring to fig. 13, the device includes:
a first distributing unit 201, configured to authenticate an application device based on a quantum security handshake protocol in the preset quantum security protocol, negotiate an encryption suite and a session key rule used in a communication process of the application device, and perform quantum session key distribution on the application device based on the encryption suite and the session key rule, so as to implement communication of the application device based on the quantum session key if no trusted third party is involved between the application devices performing communication;
And the second distributing unit 202 is configured to, if a trusted third party is provided between the communicating application devices, establish a secure communication channel between the application devices and the trusted third party based on the quantum security handshake protocol, and perform quantum session key distribution on the secure communication channel, so that the application devices communicate based on the quantum session key.
In another embodiment of the present invention, there is also provided a communication architecture that is a quantum session key communication architecture of a quantum key application device and a quantum key user client, the communication architecture including a quantum key application device, a quantum key user client, a quantum security service device, a quantum key distribution service device, wherein,
the quantum key user client is used for sending a first session key application to the quantum security service equipment and forwarding a session key bill corresponding to the first session key application to the quantum key application equipment;
the quantum security service device includes: a first receiving unit, a first transmitting unit, a second receiving unit and a second transmitting unit, wherein,
the first receiving unit is used for receiving a first session key application;
The first sending unit is configured to generate a first session key application response according to the first session key application, and send the first session key application response to the quantum key user client;
the second receiving unit is configured to receive a second session key request sent by the quantum key distribution service device, where the second session key request is a session key application request sent by the quantum key application device;
the second sending unit is configured to generate a second session key request response based on the second session key request, and send the second session key request response to the quantum key distribution service device;
the quantum key distribution service device comprises a third receiving unit, a third transmitting unit, a fourth receiving unit and a fourth transmitting unit, wherein,
the third receiving unit is configured to receive a second session key request sent by the quantum key application device;
the third sending unit is configured to send the second session key request to the quantum security service device;
the fourth receiving unit is configured to receive a second session key request response sent by the quantum security service device;
The fourth sending unit is configured to send the second session key request response to the quantum key application device;
the quantum key application device is configured to send a second session key request to the quantum key distribution service device, generate a session key ticket response according to a second session key request response sent by the quantum key distribution service device, and send the session key ticket response to the quantum key user client to implement session key distribution for the quantum key application device and the quantum key user client.
Correspondingly, in another embodiment of the present invention, there is also provided another communication architecture, which is a quantum session key communication architecture of a first quantum key user client and a second quantum key user client, the communication architecture including: a first quantum key user client, a second quantum key user client, and a quantum security service device, wherein,
the first quantum key user client is used for sending a first session key application to the quantum security service equipment and forwarding a session key bill corresponding to the first session key application to the second quantum key user client;
The second quantum key user client is used for sending a second session key request to the quantum security service equipment, generating a session key bill response based on a second session key request response returned by the quantum security service equipment, and sending the session key bill response to the first quantum key user client;
the quantum security service device includes: a fifth receiving unit, a fifth transmitting unit, a sixth receiving unit, and a sixth transmitting unit, wherein,
the fifth receiving unit is configured to receive a first session key application sent by the first quantum key user client;
the fifth sending unit is configured to generate a first session key application response according to the first session key application, and send the first session key application response to the first quantum key user client;
the sixth receiving unit is configured to receive a second session key request sent by the second quantum key user client;
and the sixth sending unit is used for generating a second session key request response according to the second session key request and sending the second session key request response to the second quantum key user client.
Correspondingly, in another embodiment of the present invention, there is also provided another communication architecture, which is a quantum session key communication architecture of a first quantum key application device and a second quantum key application device, the communication architecture including: the device comprises a first quantum key application device, a second quantum key application device, a first quantum key distribution service device, a second quantum key distribution service device and a quantum security service device;
the first quantum key application device is configured to send a first session key application to the first quantum key distribution service device, and forward a session key ticket corresponding to the first session key application to the second quantum key application device;
the second quantum key application device is configured to send a second session key application to the second quantum key distribution service device, and send a session key ticket response corresponding to a second session key application response returned by the second quantum key distribution service device to the first quantum key application device;
the first quantum key distribution service device is configured to send the first session key application to the quantum security service device, and send a first session key application response returned by the quantum security service device to the first quantum key application device;
The second quantum key distribution service device is configured to send the second session key application to the quantum security service device, and send a second session key application response returned by the quantum security service device to the second quantum key application device;
the quantum security service device includes: a seventh receiving unit, a seventh transmitting unit, an eighth receiving unit, and an eighth transmitting unit, wherein,
the seventh receiving unit is configured to receive a first session key application sent by the first quantum key distribution service device;
the seventh sending unit is configured to generate the first session key application response based on the first session key application, and send the first session key application response to the first quantum key distribution service device;
the eighth receiving unit is configured to receive a second session key application sent by the second quantum key distribution service device;
the eighth sending unit is configured to generate the second session key application response based on the second session key application, and send the second session key application response to the second quantum key distribution service device.
On the basis of the above embodiment, the first quantum key distribution service apparatus further includes:
and the verification unit is used for receiving a response bill verification request generated by the first quantum key application equipment when the first quantum key application equipment receives the session key bill response, and returning the generated response bill verification request response to the first quantum key application equipment to realize the verification of the session key bill response.
It should be noted that, corresponding to different communication architectures, the functions of the quantum security service device and the quantum key distribution service device are different, and specific functions of each device in each communication architecture are described in the quantum session key distribution method provided in the embodiment of the present invention, which is not described in detail herein.
In the embodiment of the invention, the quantum key resource is fused into various mobile communication devices through a quantum security medium product, a symmetric encryption and decryption technology and an interaction mechanism are used for formulating an identity authentication method and an encryption communication mechanism, and a quantum security service mobile engine system of a session key security distribution system is realized; the method comprises the steps of modifying a part using a public key system in an SSL protocol, upgrading a recording protocol, realizing encryption protection of a communication data packet by using a key in the communication process, setting a QSL protocol system with one-time-pad security level, and realizing communication confidentiality, information integrity and access legitimacy by combining a quantum key technology with an encryption technology; the method solves the potential security threat that the session key distribution method based on the public key system and the single preset shared key is cracked.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (4)

1. A quantum session key distribution method, comprising:
the quantum session key distribution is performed on the application equipment which performs communication based on a preset quantum security protocol, wherein,
if a trusted third party is not involved between the application devices for communication, authenticating the application devices based on a quantum security handshake protocol in the preset quantum security protocol, negotiating an encryption suite and a session key rule used in the communication process of the application devices, and carrying out quantum session key distribution on the application devices based on the encryption suite and the session key rule to realize the communication of the application devices based on the quantum session key;
If a trusted third party is arranged between the application devices for communication, a secure communication channel is established between the application devices and the trusted third party based on the quantum security handshake protocol, quantum session key distribution is executed on the secure communication channel, and the application devices are enabled to communicate based on the quantum session key.
2. The method according to claim 1, wherein the encryption mode of the communication data packets of the preset quantum security protocol is obtained by negotiating and confirming in the authentication process of both sides between devices, wherein each communication data packet of the preset quantum security protocol is encrypted and protected by using a key corresponding to a designated identifier in the encryption mode of negotiating and confirming, each communication data packet is encrypted and protected according to a preset designated key, so that the quantum session key is encrypted and protected by adopting a one-time pad or preset symmetric encryption mode, and the quantum session key is added into the communication data packet in the process of distributing the quantum session key.
3. The method of claim 1, wherein the predetermined quantum security protocol comprises:
quantum security handshake protocol, quantum security session key distribution protocol, quantum security key change protocol, quantum security alert protocol, and quantum security recording protocol, wherein,
The quantum security handshake protocol characterizes a negotiation protocol of a bidirectional authentication and encryption communication mechanism between devices with shared symmetric keys in a system;
the trusted third party in the quantum security session key distribution protocol characterization system provides identity authentication and session key distribution for both communication parties of an application layer, and the protocols of the both communication parties for encrypted communication based on the acquired session key;
the quantum security key change protocol characterizes a protocol for notifying an application device that the protocol is changed;
the quantum security warning protocol characterizes a protocol that transmits warning information defined according to characteristics of a symmetric key to an application device;
the quantum security recording protocol characterizes a protocol for blocking and encrypting upper protocol data and transmitting the processed recording blocks to a receiving end.
4. A quantum session key distribution device, the device being specifically configured to:
the quantum session key distribution is carried out on the application equipment for communication based on a preset quantum security protocol, and the method comprises the following steps:
the first distribution unit is used for authenticating the application equipment based on a quantum security handshake protocol in the preset quantum security protocol if a trusted third party is not involved between the application equipment for communication, negotiating an encryption suite and a session key rule used in the communication process of the application equipment, and carrying out quantum session key distribution on the application equipment based on the encryption suite and the session key rule to realize the communication of the application equipment based on the quantum session key;
And the second distributing unit is used for establishing a secure communication channel between the application equipment and the trusted third party based on the quantum security handshake protocol if the trusted third party is arranged between the application equipment for communication, and executing quantum session key distribution on the secure communication channel so as to realize the communication of the application equipment based on the quantum session key.
CN202310898481.1A 2019-03-28 2019-03-28 Quantum session key distribution method and device Pending CN116886288A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310898481.1A CN116886288A (en) 2019-03-28 2019-03-28 Quantum session key distribution method and device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910243395.0A CN111756528B (en) 2019-03-28 2019-03-28 Quantum session key distribution method, device and communication architecture
CN202310898481.1A CN116886288A (en) 2019-03-28 2019-03-28 Quantum session key distribution method and device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201910243395.0A Division CN111756528B (en) 2019-03-28 2019-03-28 Quantum session key distribution method, device and communication architecture

Publications (1)

Publication Number Publication Date
CN116886288A true CN116886288A (en) 2023-10-13

Family

ID=72672036

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910243395.0A Active CN111756528B (en) 2019-03-28 2019-03-28 Quantum session key distribution method, device and communication architecture
CN202310898481.1A Pending CN116886288A (en) 2019-03-28 2019-03-28 Quantum session key distribution method and device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201910243395.0A Active CN111756528B (en) 2019-03-28 2019-03-28 Quantum session key distribution method, device and communication architecture

Country Status (1)

Country Link
CN (2) CN111756528B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113242238B (en) * 2021-05-10 2022-05-27 中国建设银行股份有限公司 Secure communication method, device and system
CN114363838A (en) * 2021-12-30 2022-04-15 中国电信股份有限公司卫星通信分公司 Method for realizing satellite communication quantum key distribution through short message channel
CN114584298A (en) * 2022-03-03 2022-06-03 成都量安区块链科技有限公司 Quantum security SSL protocol application method and system
CN117119449B (en) * 2023-10-20 2024-01-19 长江量子(武汉)科技有限公司 Vehicle cloud safety communication method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7818792B2 (en) * 2002-02-04 2010-10-19 General Instrument Corporation Method and system for providing third party authentication of authorization
CN107612899B (en) * 2017-09-08 2020-08-11 浙江神州量子网络科技有限公司 OpenVPN secure communication method and communication system based on quantum key
CN108429615A (en) * 2018-01-10 2018-08-21 如般量子科技有限公司 A kind of Stunnel communication means and Stunnel communication systems based on quantum key
CN108173649B (en) * 2018-01-10 2020-08-11 如般量子科技有限公司 Message authentication method and system based on quantum key card
CN108964896B (en) * 2018-06-28 2021-01-05 如般量子科技有限公司 Kerberos identity authentication system and method based on group key pool
CN109309570B (en) * 2018-10-15 2021-09-14 北京天融信网络安全技术有限公司 Method for using quantum key in SSL VPN and corresponding equipment and storage medium

Also Published As

Publication number Publication date
CN111756528A (en) 2020-10-09
CN111756528B (en) 2023-08-15

Similar Documents

Publication Publication Date Title
CN111756529B (en) Quantum session key distribution method and system
CN104702611B (en) A kind of device and method for protecting Secure Socket Layer session key
TWI313996B (en) System and method for secure remote access
CN111052672B (en) Secure key transfer protocol without certificate or pre-shared symmetric key
CN108599925B (en) Improved AKA identity authentication system and method based on quantum communication network
CN111756528B (en) Quantum session key distribution method, device and communication architecture
US6965992B1 (en) Method and system for network security capable of doing stronger encryption with authorized devices
CN107104977B (en) Block chain data secure transmission method based on SCTP
US11736304B2 (en) Secure authentication of remote equipment
CN108650227A (en) Handshake method based on datagram secure transfer protocol and system
KR20080089500A (en) Authentication method, system and authentication center based on end to end communication in the mobile network
CN111865939A (en) Point-to-point national secret tunnel establishment method and device
CN112637136A (en) Encrypted communication method and system
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN113079022B (en) Secure transmission method and system based on SM2 key negotiation mechanism
TW201537937A (en) Unified identity authentication platform and authentication method thereof
CN112165386B (en) Data encryption method and system based on ECDSA
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
JPH10242957A (en) User authentication method, system therefor and storage medium for user authentication
KR100456624B1 (en) Authentication and key agreement scheme for mobile network
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN112035820B (en) Data analysis method used in Kerberos encryption environment
CN108809632B (en) Quantum safety sleeving layer device and system
CN114531235B (en) Communication method and system for end-to-end encryption
WO2023130970A1 (en) Trusted measurement-integrated communication method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination