WO2019128753A1 - Quantum key mobile service method with low delay - Google Patents

Quantum key mobile service method with low delay Download PDF

Info

Publication number
WO2019128753A1
WO2019128753A1 PCT/CN2018/121409 CN2018121409W WO2019128753A1 WO 2019128753 A1 WO2019128753 A1 WO 2019128753A1 CN 2018121409 W CN2018121409 W CN 2018121409W WO 2019128753 A1 WO2019128753 A1 WO 2019128753A1
Authority
WO
WIPO (PCT)
Prior art keywords
quantum
key
qkp
service
relay
Prior art date
Application number
PCT/CN2018/121409
Other languages
French (fr)
Chinese (zh)
Inventor
熊英
陈娟
唐小康
Original Assignee
成都零光量子科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都零光量子科技有限公司 filed Critical 成都零光量子科技有限公司
Publication of WO2019128753A1 publication Critical patent/WO2019128753A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • the invention belongs to the field of quantum secure communication and mobile communication, and particularly relates to a low-latency quantum key mobile service method.
  • Quantum key distribution is a new method for secure key distribution through quantum channels.
  • QKD is based on quantum mechanical principles such as quantum state inexact cloning, and can realize unconditionally secure quantum key distribution.
  • the QKD network requires a dedicated fiber channel, the technical problems of the quantum relay technology and the quantum routing are difficult, and the quantum link has a problem of large-scale concurrency conflict. Therefore, it is difficult to construct a quantum network with a complex topology.
  • Chinese Patent Authorization No. CN 104243143 B and Application Publication No. CN 106972922 A disclose a mobile secret communication method based on a quantum key distribution network, which comprises a quantum key distribution network composed of a centralized control station, each centralized control station It can be bound to at least one terminal device, and the unicast and key single-hop forwarding route addressing relay method is used to deliver the encrypted information to the terminal device bound to the remote centralized control station.
  • its ciphertext and key relay have security diffusion problems, scale application concurrency conflicts and delay problems; since the service key (or session key) must be generated by a centralized control station, in the case of scale application, a large number of real-time generation The random number will occupy more system resources.
  • the present invention discloses a novel session key generation and concurrent relay method and a method based on the same A low-latency quantum key mobility service method, including but not limited to the following steps:
  • At least one quantum service node in the registered application terminal vector subkey distribution network applies for quantum key traffic (the quantum key flow is recorded as QKP, and QKP can generate a certain amount of random numbers from the noise source, and the random number is After the randomness test, the user divides into multiple subkeys according to a certain length and format, and creates a corresponding key identifier or number), and realizes quantum key traffic sharing between the application terminal and the quantum service node, and establishes the quantum.
  • the quantum service node sends the service association list to a quantum network management server of the quantum key distribution network; (1-3) after the communication service is initiated (or before the communication service starts, According to specific service characteristics, not strictly defined, the application terminal vector subkey distribution network requests the session key service of the current communication (the calling and called application terminals of the communication are MT_U and MT_V respectively);
  • the quantum network management server in the quantum key distribution network searches for the corresponding service association list according to the quantum IDs of the application terminals MT_U and MT_V, respectively, and obtains the associated calling quantum service node.
  • QKN_A and called quantum service node
  • QKN_B uses a subkey QKP_AUi in the quantum key traffic shared with QKN_A (i is not greater than the number of subkeys in quantum key traffic) Natural number
  • MT_V uses a subkey QKP_BVi in the quantum key traffic shared with QKN_B (i is not greater than the natural number of the number of subkeys in the quantum key traffic, and can be selected according to the encryption and decryption rate of the specific service data.
  • the length of the key and the address of the relay node participating in the session key service;
  • the quantum network management server performs the following operations according to the stored relay routing table and the current state indicator of the associated quantum service node:
  • the quantum network management server directly specifies QKN_A to provide the session key service;
  • QKN_A puts R and QKP_AUi and QKP_BVj dense
  • the key identifier is sent to the quantum key relay server, and the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and the key identifiers of R and QKP_BVj to MT_V;
  • MT_U negotiates with MT_V to use QKP_AUi (
  • the quantum network management server directly specifies QKN_A and QKN_B to use a previously shared shared quantum key or Real-time negotiated shared quantum key Kab;
  • QKN_A sends the key identifiers of Kab ⁇ QKP_AUi and QKP_AUi to the quantum key relay server;
  • QKN_B sends the key identifiers of Kab ⁇ QKP_BVj and QKP_BVj to the quantum key relay server;
  • the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V.
  • the quantum network management server directly specifies that the QKN_A and QKN_B use a shared quantum key buffered in advance or a shared quantum key R negotiated in real time;
  • the quantum network management server selects n (n is a natural number greater than 0) relay nodes participating in the quantum key relay, And causing each of the relay nodes to calculate an exclusive OR value of the shared quantum key between the two adjacent nodes and transmitting the same to the quantum key relay server;
  • the sub-key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key, and accordingly, MT_V calculates R ⁇ QK
  • the MT_U and MT_V use the session key R obtained in the step (1-5) to perform secure communication through the original data link of the communication service.
  • the content of the service association list in the foregoing step (1-2) includes, but is not limited to, the quantum ID of the application terminal, the verification password, the address of the associated quantum service node, and the service account identifier; wherein, the quantum of the registered application terminal The ID is unique in the entire quantum key distribution network; the above verification password is used for identity confirmation when the application terminal connects to the quantum key distribution network; the service account identifier is the type supported by the application terminal and the quantum key distribution network.
  • a collection of accounts for a communication service that contains one or more accounts for different services.
  • the above method further includes a quantum network management server, and the features thereof include but are not limited to:
  • (3-1) storing, maintaining, and querying a service association list and a relay routing table between the quantum service node and the application terminal;
  • the vector sub-key relay server sends a relay service command according to the received relay request information
  • (3-4) summarizing the current state indicators of the nodes participating in the trusted relay, and determining the nodes participating in the relay;
  • the foregoing method further includes a quantum key relay server, and the features thereof include, but are not limited to, real-time response to an instruction of the quantum network management server, receiving relay related data of the relay node, and transmitting the relay secret to the source node and the target node. Key related data.
  • the above method further includes that the quantum service node includes but is not limited to: a QKD system, a quantum key server, and a secure storage server, and is characterized by:
  • the QKD system includes one or more QKD transceivers or QKD transmitters and/or receivers, a quantum service node QKD and other adjacent quantum services with point-to-point quantum channel connections.
  • the QKD of the node can form at least one set of quantum key distribution systems (the same type of QKD system is used between adjacent relay nodes to form a quantum key distribution link);
  • the quantum key server is configured to provide a registration service and a quantum key traffic service for the application terminal and create a corresponding service association list, and is further configured to respond to the instruction of the quantum network management server and report the node status information and provide
  • the trusted relay service is also used to send the user registration information and the service association list to the quantum network management server; and is also used for negotiating and confirming the quantum key used by the adjacent node;
  • the secure storage server is configured to cache a quantum key negotiated between the QKD system and other QKD systems of adjacent quantum service nodes having a direct connection relationship, and is also used to store and serve the application terminal. Shared quantum key traffic between.
  • the quantum keys may be buffered in advance or a certain amount of quantum keys may be negotiated in real time, and the corresponding nodes may group the quantum keys and perform randomness tests on each group to pass randomness.
  • the tested packet is divided into a plurality of subkeys (for example, one packet 10 MB, divided into 10 1 MB subkeys, or divided into a plurality of 32B, 64B, or 128B subkeys), and the subkey is performed. Number and cache, create the corresponding key identifier.
  • the method for the quantum network management server to obtain the address of the relay node participating in the session key service is characterized by:
  • the quantum network management server searches for the corresponding service association list according to the received quantum IDs of the calling application terminal and the called application terminal, and obtains the address of the calling quantum service node and the called quantum service node address in the current communication;
  • the stored relay routing table is further queried to obtain the address of each relay quantum service node between the calling quantum service node and the called quantum service node in the current communication.
  • the relay routing table needs to consider whether there is a pre-cached quantum key between adjacent nodes, whether the quantum key can be negotiated in real time, if there is a pre-cached quantum key between adjacent nodes or can be negotiated in real time. The quantum key, then the route between the adjacent nodes is accessible; otherwise, it is nowhere.
  • the method further includes: if a registered application terminal acquires quantum key traffic from a plurality of quantum service nodes, and both have a service association relationship and a corresponding plurality of service association lists are saved,
  • the application terminal sorts the plurality of service association lists by priority (for example, the node where the registration is located, the node of the current location using the traffic, etc., which is not limited by the present invention), and preferentially selects the association according to the ranking selection.
  • the quantum service node uses the corresponding quantum key traffic.
  • the "relay routing table" in the step (1-5) in the above method includes, but is not limited to:
  • the relay routing table is composed of a plurality of records, and the contents of each record include but are not limited to: a local address, a destination address, and a next hop address;
  • Each quantum service node of the quantum key distribution network stores its own relay routing table
  • the current state indicator of the quantum service node in the above method includes, but is not limited to:
  • an indicator reflecting the current position state of the quantum service node in the quantum key distribution network the indicator being a quantitative indicator including but not limited to:
  • the application terminal in the above method comprises an intelligent portable communication device (including but not limited to: a smart phone, a tablet with a network communication function and a notebook computer) having a wireless communication function, and a key data forwarding device having a wireless communication function ( Including but not limited to: a key injection device with wireless communication function, a secure tablet with wireless communication function for directly importing a key for a fixed password terminal) and using quantum key traffic and the method to obtain and other devices Shared key device (including but not limited to: network IP encryption device that obtains quantum key traffic through mobile storage media and negotiates shared key using the method, various VPN encryption gateway devices, channel encryption devices, and running encryption) Software PC), which is characterized by:
  • the intelligent portable communication device having a wireless communication function is configured to perform service data encryption and decryption communication using a session key obtained by the method;
  • the key data forwarding device having a wireless communication function is configured to forward the session key obtained by the method to another encrypted communication device and use the service data between the other encrypted communication devices. Encryption and decryption communication;
  • the apparatus for acquiring a shared key with another device by using quantum key traffic and the method is characterized in that the device obtains quantum key traffic by using an offline route, and adopts the method and Other devices negotiate a shared key and perform encrypted communication based on the shared key.
  • the quantum key flow of an application terminal When the quantum key flow of an application terminal is used up, it can apply for a new quantum key traffic to any quantum service node and create a new service association list.
  • the above method further includes quantum key traffic, wherein the quantum key traffic comprises a length of a random number sequence having a specific data format and a sequenced random key sequence, characterized in that: the specific data format
  • the random number sequence is a random number sequence that is tested by randomness and can be divided into multiple subkeys by a certain length; the arranged random key sequence is composed of multiple sub-densions with key identification by randomness test Key composition (quantum key traffic generates a certain amount of random numbers from the noise source. After passing the randomness test, the random number is divided into multiple subkeys according to a certain length and format, and a corresponding key identifier or number is created, and QKP includes multiple a sub-key and its key identifier.
  • the key identifier includes an application terminal ID, an associated node ID, a key number, and a key data length.
  • a key identifier is KeyIndex_U1_A_2_1MB, indicating that the key is U1 and node A.
  • the present invention has a more flexible and efficient quantum key service mode, and has significant innovations in the following aspects:
  • the session key of the present invention is directly generated by the quantum key of the calling and called nodes, and does not require an additional noise source; the efficiency is higher, and there is no performance bottleneck;
  • the key relay adopts the concurrent relay mode, and the relay node directly transmits the relay key XOR value of the adjacent node to the quantum key relay server, thereby overcoming the usual "single-hop routing addressing". Following the process delay and security diffusion problem, the relay efficiency is higher, the security is higher, and there is no quantum link size concurrency conflict problem;
  • the invention has very important practical application value in the fields of mobile secure communication, mobile office systems, network control systems of industrial control systems (finance, electric power, energy, transportation, etc.).
  • Figure 1 is a schematic diagram of the principle of the method of the present invention.
  • FIG. 2 is a schematic flowchart of an application terminal registration and communication according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a principle of using a shared key between adjacent nodes according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a quantum key mobility service method according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of an application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of an extended application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of an application principle of a device for acquiring a shared key with other devices by using quantum key traffic and the method of the present invention according to an embodiment of the present invention.
  • the communication channel involved in the solution of the present invention includes a quantum key distribution channel between quantum service nodes and a traditional communication network channel (including wired and wireless networks, wherein the wireless network includes but is not limited to 4G/5G network, WIFI, satellite communication network a conventional communication network channel between the wireless communication network channel between the application terminals, the application terminal and the quantum service node, and the quantum network management server (quantum key relay server).
  • the quantum network management server quantum key relay server
  • other network communication uses the traditional communication network channel, including wired and wireless channels, and the communication between the mobile terminal and the quantum service node and the quantum network management server preferentially selects the wireless channel.
  • the key involved in the solution of the present invention mainly comprises three parts: (1) a shared key between adjacent quantum service nodes (or quantum relay nodes), which is composed of adjacent quantum service nodes (or quantum relay nodes).
  • the quantum key distribution system is generated and stored in the quantum service node; (2) the quantum key traffic between the application terminal and the associated quantum service node, which is generated and saved by the quantum service node, and the application terminal is wired Download to the storage device; (3) Session key negotiated in real time for each communication; these keys are used only once and are deleted after use.
  • FIG. 1 The embodiment of the present invention shown in FIG. 1 and the reference symbols in FIG. 1 are the same as the corresponding descriptions in the above-mentioned "[0004]", and are not described here.
  • the detailed embodiment of the present invention will be described below by taking the process of completing the secure communication between the application terminal initial registration and the application terminals using the method of the present invention as an example.
  • the application terminals MT_U and MT_V respectively apply for registration and obtain quantum IDs to adjacent QKN_A and QKN_B (process 1 in FIG. 2, for example, an application terminal holder (which may be a personal or application terminal)
  • the production equipment manufacturer first goes to the confidentiality certification center to go through the network registration procedure, and the confidential certification center audits the user's network application.
  • each application terminal that applies for the network access obtains a network distributed by the quantum network management server.
  • a unique quantum ID which is stored in a permanent storage medium (such as an SD password card, etc.) of an application terminal that is applied to the network, and sets a password for obtaining identity authentication of the service, respectively, and applies for and obtains quantum key traffic.
  • QKP_AU and QKP_BV process 2 in Figure 2;
  • QKN_A and QKN_B respectively create service association lists of associated application terminals MT_U and MT_V and upload them to the quantum network management server (process 3 in FIG. 2); wherein the service association list is composed of several records, each record representing one registered
  • the associated information of the application terminal the format of which includes but is not limited to the following format:
  • the application terminal MT_U requests the session key with the MT_V through the traditional communication network vector sub-network management server (process 4 in FIG. 2); the quantum network management server first authenticates the identity (for example, requires the application terminal to input the quantum ID and corresponding The password, or the associated quantum service node ID and business account (such as mobile phone number, mailbox), etc., if the information does not match, you need to re-enter; if the quantum ID does not exist or has been deactivated, you need to re-apply or activate) After the identity authentication, the corresponding service association list is searched according to the quantum IDs of the application terminals MT_U and MT_V, and the associated QKN_A and QKN_B are found according to the service association list;
  • the quantum network management server directly specifies (process 5 in Fig. 2) that QKN_A and QKN_B use a shared quantum key cached in advance or a shared quantum key Kab negotiated in real time (using the process 6 in Fig. 2 to negotiate a shared quantum key) Key);
  • QKN_A sends the key identifiers of Kab ⁇ QKP_AUi and QKP_AUi to the quantum key relay server (Process 7 in Figure 2);
  • QKN_B sends the key identifiers of Kab ⁇ QKP_BVj and QKP_BVj to the quantum key relay server (Process 7 in Figure 2);
  • the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U ( Figure Process 8) in 2, the key identification of R and QKP_BV
  • the application terminal in addition to the communication process other than acquiring the quantum key traffic, the application terminal does not need to connect to the QKN or the quantum network management server through a wired connection, and does not limit the geographical location where the application terminal is located.
  • a traditional communication network including wired and wireless communication networks
  • FIG. 3 is an embodiment of a method for confirming a key identifier of a quantum key used between adjacent nodes according to the present invention, wherein node C(i-1) (where i is a natural number greater than 0, where Used only to indicate different nodes) to send a key identifier of a shared key Ki among the selected shared keys to the node Ci (process 1 in FIG. 3), the node Ci to the node C (i-1) transmitting confirmation information for selecting Ki (Process 3 in FIG. 3); node Ci transmits to node C(i+1) one of the shared keys between the selected two of them The key identifier of K(i+1) (Process 2 in Fig.
  • the node C(i+1) sends a confirmation message of selection K(i+1) to the node Ci (Process 4 in Fig. 3). If the quantum key margin between adjacent nodes is insufficient, a certain amount of shared quantum key needs to be negotiated in real time, and then a subkey is negotiated to be used for the current key relay service.
  • the quantum network management server selects three relay nodes QKN_C1, QKN_C2, and QKN_C3 (the quantum network management server first sends and uploads respective current state indicators to QKN_C1, QKN_C2, and QKN_C3.
  • the instructions, then, the quantum network management server collects the current state metrics of the nodes, such as the nominal quantum key distribution rate of each node, how many relay tasks are currently participating, and whether quantum channels are available between other nodes.
  • R3 K3 ⁇ K4, and send R1, R2, and R3 to the quantum key relay server respectively;
  • quantum The key relay server then sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V;
  • MT_U and MT_V use QKP_AUi (or QKP_BVj) as the session key for the communication and perform secure communication.
  • FIG. 5 is a schematic diagram of an application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention, wherein the mobile terminal is respectively a secure mobile phone 501 and a wireless communication function for directly importing a key for a fixed password terminal.
  • the tablet 502; the secure mobile phone 501 and the secure tablet 502 respectively apply the quantum key traffic to the vector sub-service node A 503 and the quantum service node B 504, and the secure mobile phone 501 and the secure tablet 502 acquire the shared session key by using the method in FIG. Passing the session key into the password server 506 through a dedicated security interface (such as a one-way USB cable, an SD password card or a wireless injection adapter);
  • a dedicated security interface such as a one-way USB cable, an SD password card or a wireless injection adapter
  • the secure mobile phone 501 encrypts the data to be uploaded by using the session key, and uploads it to the password server 506 via the VPN gateway 505.
  • the password server 506 decrypts the session key and uploads it to the enterprise OA system 507.
  • the secure mobile phone 501 is from the enterprise.
  • the data is downloaded by the OA system 507, first, the downloaded data needs to be encrypted by the password server 506, and then downloaded to the secure mobile phone 501 via the VPN gateway 505.
  • the secure mobile phone 501 decrypts the session key and decrypts it. The data.
  • the shared session key can be obtained first and securely communicated between the two secure phones.
  • FIG. 6 is a schematic diagram of an extended application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention, wherein a security tablet 601 and 602 for directly importing a key for a fixed password terminal having a wireless communication function, a security tablet
  • the 601 and the security tablet 602 respectively apply the quantum key traffic to the vector sub-service node A 603 and the quantum service node B 604.
  • the security tablet 601 and the security tablet 602 acquire the shared session key by using the method in FIG.
  • the dedicated security interface for example, The one-way USB cable, the SD cryptographic card or the wireless injection adapter
  • the service communication between the industrial control system A 607 and the industrial control system B 607 is encrypted and decrypted based on the shared session key.
  • FIG. 7 is a schematic diagram of an application principle of a device for acquiring a shared key with another device by using the quantum key traffic and the method of the present invention, wherein 701 and 702 are respectively bound to the cryptographic servers 605 and 606, respectively.
  • the removable storage medium is used to inject quantum key traffic for the cryptographic servers 605 and 606, respectively; the cryptographic servers 605 and 606 acquire the shared session key using the method of FIG. 1, and perform encryption and decryption communication based on the shared session key.
  • the method of the invention can be widely used in mobile secure communication, mobile office systems, and also in network security systems of industrial control systems (financial, electric power, energy, transportation, etc.).

Abstract

Disclosed in the present invention is a quantum key mobile service method with low delay, for use in solving the problems in the security, efficiency and scale access of a quantum key mobile service. The steps of the present invention are that: an application terminal applies for registration from a quantum node and obtains quantum key flow; a quantum network management server queries associated calling and called quantum nodes and a relay node according to a request; the node concurrently sends an exclusive or value of a shared quantum key between the node and two adjacent nodes to a quantum key relay server; the quantum key relay server performs exclusive or calculation on the received corresponding exclusive or value to obtain an exclusive or value of the quantum keys of two application terminals; and the application terminal implements key sharing on the basis of the exclusive or value. The method of the present invention has the advantages of security, high efficiency, low delay, and no performance bottleneck; and the present invention has important application value in the fields such as mobile communication, mobile office, and industrial control network security systems.

Description

一种低延迟的量子密钥移动服务方法Low-latency quantum key mobile service method 技术领域Technical field
本发明属于量子保密通信和移动通信领域,特别涉及一种低延迟的量子密钥移动服务方法。The invention belongs to the field of quantum secure communication and mobile communication, and particularly relates to a low-latency quantum key mobile service method.
背景技术Background technique
量子密钥分发(quantum key distribution,QKD)是通过量子信道进行安全的密钥分发的新型方法。QKD基于量子态不可精确克隆等量子力学原理,能够实现无条件安全的量子密钥分发。但是,由于QKD网络需要专用的光纤信道,不落地量子中继技术和量子路由存在技术困难,量子链路存在规模并发冲突问题,因此,很难构建复杂拓扑结构的量子网络。Quantum key distribution (QKD) is a new method for secure key distribution through quantum channels. QKD is based on quantum mechanical principles such as quantum state inexact cloning, and can realize unconditionally secure quantum key distribution. However, since the QKD network requires a dedicated fiber channel, the technical problems of the quantum relay technology and the quantum routing are difficult, and the quantum link has a problem of large-scale concurrency conflict. Therefore, it is difficult to construct a quantum network with a complex topology.
中国专利授权公告号CN 104243143 B和申请公布号CN 106972922 A公开了一种基于量子密钥分发网络的移动保密通信方法,它包括由集控站构成的量子密钥分发网络,每个集控站可与至少一个终端设备绑定,采取密文和密钥的单跳转发路由寻址中继方法将加密后的信息传递到远端集控站绑定的终端设备。但其密文和密钥中继存在安全性扩散问题、规模应用并发冲突和延迟问题;由于业务密钥(或会话密钥)必须由一个集控站产生,在规模应用情况下,实时产生大量的随机数将占用较多的系统资源。Chinese Patent Authorization No. CN 104243143 B and Application Publication No. CN 106972922 A disclose a mobile secret communication method based on a quantum key distribution network, which comprises a quantum key distribution network composed of a centralized control station, each centralized control station It can be bound to at least one terminal device, and the unicast and key single-hop forwarding route addressing relay method is used to deliver the encrypted information to the terminal device bound to the remote centralized control station. However, its ciphertext and key relay have security diffusion problems, scale application concurrency conflicts and delay problems; since the service key (or session key) must be generated by a centralized control station, in the case of scale application, a large number of real-time generation The random number will occupy more system resources.
发明内容Summary of the invention
为了降低产生会话密钥对随机数发生器的依赖、提升密钥中继安全性和移动服务的效率,本发明公开一种新型的会话密钥产生与并发中继方法以及基于这些方法的一种低延迟的量子密钥移动服务方法,其特征在于,包括但不限于如下步骤:In order to reduce the dependency of the session key on the random number generator, improve the key relay security and the efficiency of the mobile service, the present invention discloses a novel session key generation and concurrent relay method and a method based on the same A low-latency quantum key mobility service method, including but not limited to the following steps:
(1-1)应用终端向量子密钥分发网络中的一个量子服务节点(简称节点,记为QKN)申请注册入网,并获得唯一的量子ID;(1-1) Applying a quantum service node (referred to as a node, referred to as QKN) in the application terminal vector subkey distribution network to apply for registration into the network, and obtain a unique quantum ID;
(1-2)已注册应用终端向量子密钥分发网络中的至少一个量子服务节点申请量子密钥流量(量子密钥流量记为QKP,QKP可由噪声源产生一定量的随机数,随机数在通过随机性测试后按一定长度和格式分割为多个子密钥,并创建相应的密钥标识或编号),并实现该应用终端与该量子服务节点之间的量子密钥流量共享,建立该量子服务节点与该应用终端的服务关联列表;该量子服务节点把该服务关联列表发送到量子密钥分发网络的量子网络管理服务器;(1-3)通信业务发起后(或者在通信业务开始之前,根据具体的业务特点确定,不严格限定),应用终端向量子密钥分发网络请求本次通信的会话密钥服务(记该次通信的主叫和被叫应用终端分别为MT_U和MT_V);(1-2) At least one quantum service node in the registered application terminal vector subkey distribution network applies for quantum key traffic (the quantum key flow is recorded as QKP, and QKP can generate a certain amount of random numbers from the noise source, and the random number is After the randomness test, the user divides into multiple subkeys according to a certain length and format, and creates a corresponding key identifier or number), and realizes quantum key traffic sharing between the application terminal and the quantum service node, and establishes the quantum. a service association list of the service node and the application terminal; the quantum service node sends the service association list to a quantum network management server of the quantum key distribution network; (1-3) after the communication service is initiated (or before the communication service starts, According to specific service characteristics, not strictly defined, the application terminal vector subkey distribution network requests the session key service of the current communication (the calling and called application terminals of the communication are MT_U and MT_V respectively);
(1-4)量子密钥分发网络中的量子网络管理服务器收到所述请求后,分别根据应用终端MT_U和MT_V的量子ID查找相应的服务关联列表,并得到所关联的主叫量子服务节点(记为QKN_A)和被叫量子服务节点(记为QKN_B)(假定MT_U使用其与QKN_A共享的量子密钥流量中的一个子密钥QKP_AUi(i不大于量子密钥流量中子密钥的数量的自然数),MT_V使用其与QKN_B共享的量子密钥流量中的一个子密钥QKP_BVi(i不大于量子密钥流量中子密钥的数量的自然数,可以根据具体业务数据的加解密速率选择子密钥的长度),以及参与该次会话密钥服务的中继节点的地址;(1-4) After receiving the request, the quantum network management server in the quantum key distribution network searches for the corresponding service association list according to the quantum IDs of the application terminals MT_U and MT_V, respectively, and obtains the associated calling quantum service node. (denoted as QKN_A) and called quantum service node (denoted as QKN_B) (assuming MT_U uses a subkey QKP_AUi in the quantum key traffic shared with QKN_A (i is not greater than the number of subkeys in quantum key traffic) Natural number), MT_V uses a subkey QKP_BVi in the quantum key traffic shared with QKN_B (i is not greater than the natural number of the number of subkeys in the quantum key traffic, and can be selected according to the encryption and decryption rate of the specific service data. The length of the key) and the address of the relay node participating in the session key service;
(1-5)量子网络管理服务器根据所存储的中继路由表和相关量子服务节点的当前状态指标,量子网络管理服务器进行如下操作:(1-5) The quantum network management server performs the following operations according to the stored relay routing table and the current state indicator of the associated quantum service node:
(1-5-1)如果MT_U和MT_V关联同一个量子服务节点QKN_A(即QKN_A与QKN_B是同一个量子服务节点),则,量子网络管理服务器直接指定QKN_A提供该次会话密钥服务;QKN_A分别选择MT_U和MT_V的子密钥QKP_AUi和QKP_BVj,并计算R=QKP_AUi⊕QKP_BVj(其中,⊕是异或运算,i与j可以相同也可以不同,下同);QKN_A把R以及QKP_AUi和QKP_BVj的密钥标识发给量子密钥中继服务器,量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);(1-5-1) If MT_U and MT_V are associated with the same quantum service node QKN_A (ie, QKN_A and QKN_B are the same quantum service node), the quantum network management server directly specifies QKN_A to provide the session key service; QKN_A respectively Select subkeys QKP_AUi and QKP_BVj of MT_U and MT_V, and calculate R=QKP_AUi⊕QKP_BVj (where ⊕ is an exclusive OR operation, i and j may be the same or different, the same below); QKN_A puts R and QKP_AUi and QKP_BVj dense The key identifier is sent to the quantum key relay server, and the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as a shared session key, correspondingly, MT_V calculates R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj);
可选的,QKN_A分别选择MT_U和MT_V的子密钥QKP_AUi和QKP_BVj,并计算R=QKP_AUi⊕QKP_BVj;所述QKN_A通过无线通信网络把R和QKP_AUi的密钥标识发给MT_U,MT_U计算R⊕QKP_AUi=QKP_BVj;所述QKN_A通过无线通信网络把QKP_BVj的密钥标识发给MT_V;MT_U与MT_V采用QKP_BVj作为该次通信的会话密钥;Optionally, QKN_A selects subkeys QKP_AUi and QKP_BVj of MT_U and MT_V, respectively, and calculates R=QKP_AUi⊕QKP_BVj; the QKN_A sends the key identifiers of R and QKP_AUi to MT_U through the wireless communication network, and MT_U calculates R⊕QKP_AUi =QKP_BVj; the QKN_A sends the key identifier of QKP_BVj to MT_V through the wireless communication network; MT_U and MT_V adopt QKP_BVj as the session key of the communication;
(1-5-2)如果QKN_A和QKN_B是存在点到点量子密钥分发连接的相邻节点,则,量子网络管理服务器直接指定QKN_A和QKN_B使用二者之间事先缓存的共享量子密钥或实时协商的共享量子密钥Kab;QKN_A把Kab⊕QKP_AUi及QKP_AUi的密钥标识发给量子密钥中继服务器;QKN_B把Kab⊕QKP_BVj及QKP_BVj的密钥标识发给量子密钥中继服务器;量子密钥中继服务器计算Kab⊕QKP_AUi⊕Kab⊕QKP_BVj=QKP_AUi⊕QKP_BVj=R;量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);(1-5-2) If QKN_A and QKN_B are adjacent nodes where a point-to-point quantum key distribution connection exists, the quantum network management server directly specifies QKN_A and QKN_B to use a previously shared shared quantum key or Real-time negotiated shared quantum key Kab; QKN_A sends the key identifiers of Kab⊕QKP_AUi and QKP_AUi to the quantum key relay server; QKN_B sends the key identifiers of Kab⊕QKP_BVj and QKP_BVj to the quantum key relay server; The key relay server calculates Kab⊕QKP_AUi⊕Kab⊕QKP_BVj=QKP_AUi⊕QKP_BVj=R; the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V. MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key, and correspondingly, MT_V calculates R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj);
可选的,量子网络管理服务器直接指定QKN_A和QKN_B使用二者之间事先缓存的共享量子密钥或实时协商的共享量子密钥R;QKN_A计算所述R与MT_U子密钥QKP_AUi的异或值R⊕QKP_AUi,QKN_A通过无线通信网络把R⊕QKP_AUi和QKP_AUi的密钥标识发给MT_U,MT_U计算R⊕QKP_AUi⊕QKP_AUi=R;QKN_B计算所述R与MT_V子密钥QKP_BVj的异或值R⊕QKP_BVj,QKN_B通过无线通信网络把R⊕QKP_BVj和QKP_BVj的密钥标识发给MT_V,MT_V计算R⊕QKP_BVj⊕QKP_BVj=R;MT_U与MT_V采用R作为该次通信的会话密钥;Optionally, the quantum network management server directly specifies that the QKN_A and QKN_B use a shared quantum key buffered in advance or a shared quantum key R negotiated in real time; QKN_A calculates an exclusive OR value of the R and the MT_U subkey QKP_AUi R⊕QKP_AUi, QKN_A sends the key identifiers of R⊕QKP_AUi and QKP_AUi to MT_U through the wireless communication network, MT_U calculates R⊕QKP_AUi⊕QKP_AUi=R; QKN_B calculates the exclusive OR value R of the R and MT_V subkey QKP_BVj QKP_BVj, QKN_B sends the key identifiers of R⊕QKP_BVj and QKP_BVj to MT_V through the wireless communication network, MT_V calculates R⊕QKP_BVj⊕QKP_BVj=R; MT_U and MT_V use R as the session key of the communication;
(1-5-3)如果QKN_A和QKN_B是不相邻的两个量子服务节点,则,量子网络管理服务器选择参与量子密钥中继的n(n是大于0的自然数)个中继节点,并令所述每一个中继节点计算其与另外两个相邻节点之间的共享量子密钥的异或值,并发送到量子密钥中继服务器;(1-5-3) If QKN_A and QKN_B are two quantum service nodes that are not adjacent, the quantum network management server selects n (n is a natural number greater than 0) relay nodes participating in the quantum key relay, And causing each of the relay nodes to calculate an exclusive OR value of the shared quantum key between the two adjacent nodes and transmitting the same to the quantum key relay server;
假定参与该次中继的全部量子服务节点依次记为QKN_A、…、QKN_Ci、…、QKN_B(其中,i是自然数,且0<i<n+1,当有一个中继节点时,n=1,i=1;当有两个中继节点时,n=2,i=1、2,以此类推),假定所述节点的相邻节点之间依次选择K1、…、Ki、…、K(n+1)作为该次中继服务的量子密钥,其中,K1是节点A与节点C1之间事先缓存的共享量子密钥或实时协商的共享量子密钥,Ki是节点C(i-1)与节点Ci之间事先缓存的共享量子密钥或实时协商的共享量子密钥(其中,i是自然数,且1<i<n+1),K(n+1)是节点Cn与节点B之间事先缓存的共享量子密钥或实时协商的共享量子密钥,相邻节点之间对所使用的量子密钥的密钥标识进行确认并使用相同密钥标识的量子密钥;It is assumed that all quantum service nodes participating in the relay are sequentially recorded as QKN_A, ..., QKN_Ci, ..., QKN_B (where i is a natural number and 0 < i < n + 1, when there is a relay node, n = 1 , i=1; when there are two relay nodes, n=2, i=1, 2, and so on), assuming that K1, ..., Ki, ..., K are sequentially selected between adjacent nodes of the node (n+1) as the quantum key of the relay service, where K1 is a shared quantum key previously cached between node A and node C1 or a shared quantum key negotiated in real time, and Ki is node C (i- 1) a shared quantum key previously buffered with the node Ci or a shared quantum key negotiated in real time (where i is a natural number and 1 < i < n + 1), and K (n + 1) is a node Cn and a node a shared quantum key cached in advance between B or a shared quantum key negotiated in real time, a key identifier of the quantum key used between adjacent nodes is confirmed and a quantum key identified by the same key is used;
量子网络管理服务器令QKN_A计算R0=QKP_AUi⊕K1,并把计算结果R0及QKP_AUi的密钥标识一起发给量子密钥中继服务器;令QKN_B计算R(n+1)=K(n+1)⊕QKP_BVj,并把计算结果R(n+1)及QKP_BVj的密钥标识一起发给量子密钥中继服务器;分别令节点QKN_Ci计算其与所述两个相邻节点之间的两个共享量子密钥的异或运算(记为⊕)值,即节点QKN_Ci计算Ri=Ki⊕K(i+1),并分别把计算结果Ri及其相应节点QKN_Ci的ID一起发给量子密钥中继服务器(其中,i是自然数,且0<i<n+1);如果在限定的时间内量子密钥中继服务器没有接收到某些节点的计算结果,则量子密钥中继服务器请求相应节点重发相应的计算结果,直到接收到所述n+2个异或运算结果;量子密钥中继服务器对所述n+2个异或运算结果再一起进行异或运算,即,计算R0⊕R1⊕…Ri…⊕Rn⊕R(n+1)=QKP_AUi⊕QKP_BVj=R(其中,i是自然数,且0<i<n);量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj= QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);The quantum network management server causes QKN_A to calculate R0=QKP_AUi⊕K1, and sends the key identifiers of the calculation results R0 and QKP_AUi to the quantum key relay server together; let QKN_B calculate R(n+1)=K(n+1) ⊕QKP_BVj, and send the key identifiers of the calculation results R(n+1) and QKP_BVj together to the quantum key relay server; respectively, let the node QKN_Ci calculate the two shared quantum between the two adjacent nodes The XOR operation of the key (denoted as ⊕), that is, the node QKN_Ci calculates Ri=Ki⊕K(i+1), and sends the calculation result Ri and the ID of its corresponding node QKN_Ci to the quantum key relay server, respectively. (where i is a natural number and 0<i<n+1); if the quantum key relay server does not receive the calculation result of some nodes within a limited time, the quantum key relay server requests the corresponding node to Corresponding calculation results are sent until the n+2 XOR operation results are received; the quantum key relay server performs an exclusive OR operation on the n+2 XOR operation results, that is, calculates R0⊕R1 ⊕...Ri...⊕Rn⊕R(n+1)=QKP_AUi⊕QKP_BVj=R (where i is a natural number and 0<i<n); The sub-key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key, and accordingly, MT_V calculates R⊕QKP_BVj= QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj);
(1-6)MT_U与MT_V使用步骤(1-5)得到的会话密钥R,通过该类通信业务原有的数据链路进行保密通信。(1-6) The MT_U and MT_V use the session key R obtained in the step (1-5) to perform secure communication through the original data link of the communication service.
进一步地,上述步骤(1-2)中的服务关联列表的内容包括但不限于:应用终端的量子ID、验证密码、关联量子服务节点的地址、业务账号标识;其中,已注册应用终端的量子ID在整个量子密钥分发网络中是唯一的;上述验证密码用于应用终端连接量子密钥分发网络时的身份确认;上述业务账号标识是该应用终端及量子密钥分发网络所支持的各类通信业务的账号集合,它包含一项或多项不同业务的账号。Further, the content of the service association list in the foregoing step (1-2) includes, but is not limited to, the quantum ID of the application terminal, the verification password, the address of the associated quantum service node, and the service account identifier; wherein, the quantum of the registered application terminal The ID is unique in the entire quantum key distribution network; the above verification password is used for identity confirmation when the application terminal connects to the quantum key distribution network; the service account identifier is the type supported by the application terminal and the quantum key distribution network. A collection of accounts for a communication service that contains one or more accounts for different services.
进一步地,上述方法还包括量子网络管理服务器,其特征包括但不限于:Further, the above method further includes a quantum network management server, and the features thereof include but are not limited to:
(3-1)存储、维护和查询量子服务节点与应用终端之间的服务关联列表和中继路由表;(3-1) storing, maintaining, and querying a service association list and a relay routing table between the quantum service node and the application terminal;
(3-2)维护与各量子服务节点间的经典网络连接;(3-2) Maintaining a classic network connection with each quantum service node;
(3-3)根据收到的中继请求信息,向量子密钥中继服务器发送中继服务指令;(3-3) the vector sub-key relay server sends a relay service command according to the received relay request information;
(3-4)对参与可信中继的各节点的当前状态指标进行汇总,判断得到参与中继的节点;(3-4) summarizing the current state indicators of the nodes participating in the trusted relay, and determining the nodes participating in the relay;
(3-5)与量子服务节点通信,向量子服务节点发送指令。(3-5) Communicating with the quantum service node, the vector sub-service node sends an instruction.
进一步地,上述方法还包括量子密钥中继服务器,其特征包括但不限于:实时响应量子网络管理服务器的指令、接收中继节点的中继相关数据、向源节点和目标节点发送中继密钥相关数据。Further, the foregoing method further includes a quantum key relay server, and the features thereof include, but are not limited to, real-time response to an instruction of the quantum network management server, receiving relay related data of the relay node, and transmitting the relay secret to the source node and the target node. Key related data.
进一步地,上述方法还包括,量子服务节点包括但不限于:QKD系统、量子密钥服务器和安全存储服务器,其特征在于:Further, the above method further includes that the quantum service node includes but is not limited to: a QKD system, a quantum key server, and a secure storage server, and is characterized by:
(5-1)所述QKD系统包括一台或多台QKD收发一体机或QKD的发送端和/或接收端,一个量子服务节点的QKD与其它存在点到点量子信道连接的相邻量子服务节点的QKD都可以组成至少一套量子密钥分发系统(相邻中继节点之间采用相同类型的QKD系统形成一个量子密钥分发链路);(5-1) The QKD system includes one or more QKD transceivers or QKD transmitters and/or receivers, a quantum service node QKD and other adjacent quantum services with point-to-point quantum channel connections. The QKD of the node can form at least one set of quantum key distribution systems (the same type of QKD system is used between adjacent relay nodes to form a quantum key distribution link);
(5-2)所述量子密钥服务器用于为应用终端提供注册服务和量子密钥流量服务并创建相应的服务关联列表,还用于响应量子网络管理服务器的指令并上报节点状态信息和提供可信中继服务;还用于把用户注册信息和服务关联列表发送给量子网络管理服务器;还用于协商确认与相邻节点所使用的量子密钥;(5-2) the quantum key server is configured to provide a registration service and a quantum key traffic service for the application terminal and create a corresponding service association list, and is further configured to respond to the instruction of the quantum network management server and report the node status information and provide The trusted relay service is also used to send the user registration information and the service association list to the quantum network management server; and is also used for negotiating and confirming the quantum key used by the adjacent node;
(5-3)所述安全存储服务器用于缓存所述QKD系统与其它存在直接连接关系的相邻量子服务节点的QKD系统之间协商的量子密钥,还用于存储与所服务应用终端之间的共享量子密钥流量。(5-3) The secure storage server is configured to cache a quantum key negotiated between the QKD system and other QKD systems of adjacent quantum service nodes having a direct connection relationship, and is also used to store and serve the application terminal. Shared quantum key traffic between.
需要说明的是,如果两个节点之间存在点到点的量子信道连接并能够进行量子密钥分发,就称之为是相邻节点(另外,量子卫星的两个地面节点之间也属于相邻节点);相邻节点之间可以事先缓存量子密钥或实时协商一定量的量子密钥,相应节点可以对所述量子密钥进行分组并对每一个分组进行随机性测试,把通过随机性测试的所述分组分割为多个子密钥(例如,一个分组10MB,被分成10个1MB的子密钥,或者分成多个32B、64B或128B的子密钥),并进行对子密钥进行编号和缓存,创建相应的密钥标识。It should be noted that if there is a point-to-point quantum channel connection between two nodes and quantum key distribution is possible, it is called an adjacent node (in addition, the two ground nodes of the quantum satellite also belong to each other. Neighbor nodes; the quantum keys may be buffered in advance or a certain amount of quantum keys may be negotiated in real time, and the corresponding nodes may group the quantum keys and perform randomness tests on each group to pass randomness. The tested packet is divided into a plurality of subkeys (for example, one packet 10 MB, divided into 10 1 MB subkeys, or divided into a plurality of 32B, 64B, or 128B subkeys), and the subkey is performed. Number and cache, create the corresponding key identifier.
进一步地,上述方法中的步骤(1-4)中量子网络管理服务器得到参与该次会话密钥服务的中继节点的地址的方法,其特征在于:Further, in the step (1-4) of the foregoing method, the method for the quantum network management server to obtain the address of the relay node participating in the session key service is characterized by:
量子网络管理服务器根据所接收到的主叫应用终端与被叫应用终端的量子ID,查找相应的服务关联列表,得到本次通信中的主叫量子服务节点地址和被叫量子服务节点地址;然后再查询所存储的中继路由表,得到本次通信中主叫量子服务节点与被叫量子服务节点间各个中继量子服务节点的地址。The quantum network management server searches for the corresponding service association list according to the received quantum IDs of the calling application terminal and the called application terminal, and obtains the address of the calling quantum service node and the called quantum service node address in the current communication; The stored relay routing table is further queried to obtain the address of each relay quantum service node between the calling quantum service node and the called quantum service node in the current communication.
需要说明的是,中继路由表需要考虑相邻节点之间是否存在事先缓存的量子密钥,是否可以实时协商量子密钥,如果相邻节点之间存在事先缓存的量子密钥或能够实时协商量子密钥,则所述相邻节点之间的路由才是通达的;否则,就是不通。It should be noted that the relay routing table needs to consider whether there is a pre-cached quantum key between adjacent nodes, whether the quantum key can be negotiated in real time, if there is a pre-cached quantum key between adjacent nodes or can be negotiated in real time. The quantum key, then the route between the adjacent nodes is accessible; otherwise, it is nowhere.
进一步地,上述方法还包括,如果某个已注册应用终端从多个量子服务节点获取了量子密钥流量,并且都存在着服务关联关系且保存有相应的多个服务关联列表,则,所述应用终端对所述多个服务关联列表按优先级(比如按注册地所在的节点、使用流量的当前地点的节点等,本发明不对此进行限定)进行排序,并优先按照所述排序选择所关联的量子服务节点并使用相应的量子密钥流量。Further, the method further includes: if a registered application terminal acquires quantum key traffic from a plurality of quantum service nodes, and both have a service association relationship and a corresponding plurality of service association lists are saved, The application terminal sorts the plurality of service association lists by priority (for example, the node where the registration is located, the node of the current location using the traffic, etc., which is not limited by the present invention), and preferentially selects the association according to the ranking selection. The quantum service node uses the corresponding quantum key traffic.
进一步地,上述方法中的步骤(1-5)中的“中继路由表”,其特征包括但不限于:Further, the "relay routing table" in the step (1-5) in the above method includes, but is not limited to:
(8-1)中继路由表由若干条记录组成,每一条记录的内容包括但不限于:本机地址、目标地址和下一跳地址;(8-1) The relay routing table is composed of a plurality of records, and the contents of each record include but are not limited to: a local address, a destination address, and a next hop address;
(8-2)量子密钥分发网络的各个量子服务节点中都保存有自己的中继路由表;(8-2) Each quantum service node of the quantum key distribution network stores its own relay routing table;
(8-3)量子网络管理服务器中存储有每个量子服务节点的当前中继路由表;(8-3) a current relay routing table of each quantum service node is stored in the quantum network management server;
(8-4)量子密钥分发网络的拓扑结构变化后,会话密钥中继路由表也随之更新。(8-4) After the topology of the quantum key distribution network changes, the session key relay routing table is also updated.
进一步地,上述方法中的量子服务节点的当前状态指标,其特征包括但不限于:Further, the current state indicator of the quantum service node in the above method includes, but is not limited to:
(9-1)反映该量子服务节点当前负担的中继任务的繁重状态的指标,该指标是一个量化的指标,包括但不限于:(9-1) An indicator reflecting the heavy state of the relay task currently burdened by the quantum service node, which is a quantitative indicator including but not limited to:
(9-1-1)该量子服务节点的额定量子密钥分发速率;(9-1-1) a nominal quantum key distribution rate of the quantum service node;
(9-1-2)该量子服务节点当前正在参与多少个中继任务,各个中继任务的量子密钥消耗速率;(9-1-2) how many relay tasks the quantum service node is currently participating in, and the quantum key consumption rate of each relay task;
(9-2)反映该量子服务节点在量子密钥分发网络中当前所处的位置状态的指标,该指标是一个量化的指标,包括但不限于:(9-2) an indicator reflecting the current position state of the quantum service node in the quantum key distribution network, the indicator being a quantitative indicator including but not limited to:
(9-2-1)该量子服务节点与其他多少个量子服务节点之间存在有效的量子信道并能够进行量子密钥协商;(9-2-1) There is an effective quantum channel between the quantum service node and how many other quantum service nodes, and quantum key negotiation is possible;
(9-2-2)该量子服务节点与其他量子服务节点间的跳数。(9-2-2) The number of hops between the quantum service node and other quantum service nodes.
进一步地,上述方法中的应用终端包括具有无线通信功能的智能便携通信设备(包括但不限于:智能手机、具有网络通信功能的平板和笔记本电脑)、具有无线通信功能的密钥数据转发设备(包括但不限于:具有无线通信功能的密钥注入设备,具有无线通信功能的用于直接为固定密码终端导入密钥的安全平板)以及采用量子密钥流量和所述方法获取与其它设备之间的共享密钥的设备(包括但不限于:通过移动存储介质获取量子密钥流量并采用所述方法协商共享密钥的的网络IP加密设备、各种VPN加密网关设备、信道加密设备和运行加密软件的PC机),其特征在于:Further, the application terminal in the above method comprises an intelligent portable communication device (including but not limited to: a smart phone, a tablet with a network communication function and a notebook computer) having a wireless communication function, and a key data forwarding device having a wireless communication function ( Including but not limited to: a key injection device with wireless communication function, a secure tablet with wireless communication function for directly importing a key for a fixed password terminal) and using quantum key traffic and the method to obtain and other devices Shared key device (including but not limited to: network IP encryption device that obtains quantum key traffic through mobile storage media and negotiates shared key using the method, various VPN encryption gateway devices, channel encryption devices, and running encryption) Software PC), which is characterized by:
(10-1)所述具有无线通信功能的智能便携通信设备用于采用所述方法获得的会话密钥进行业务数据加解密通信;(10-1) The intelligent portable communication device having a wireless communication function is configured to perform service data encryption and decryption communication using a session key obtained by the method;
(10-2)所述具有无线通信功能的密钥数据转发设备用于把采用所述方法获得的会话密钥再转发给其它加密通信设备,并用于所述其它加密通信设备之间的业务数据加解密通信;(10-2) The key data forwarding device having a wireless communication function is configured to forward the session key obtained by the method to another encrypted communication device and use the service data between the other encrypted communication devices. Encryption and decryption communication;
(10-3)所述采用量子密钥流量和所述方法获取与其它设备之间的共享密钥的设备的特征在于,所述设备利用离线途径获得量子密钥流量,并采用所述方法与其它设备协商共享密钥,并基于所述共享密钥进行加密通信。(10-3) The apparatus for acquiring a shared key with another device by using quantum key traffic and the method is characterized in that the device obtains quantum key traffic by using an offline route, and adopts the method and Other devices negotiate a shared key and perform encrypted communication based on the shared key.
当一个应用终端的量子密钥流量用完后,可以向任意一个量子服务节点申请新的量子密钥流量,同时创建新的服务关联列表。When the quantum key flow of an application terminal is used up, it can apply for a new quantum key traffic to any quantum service node and create a new service association list.
进一步地,上述方法还包括量子密钥流量,其特征在于:量子密钥流量包括一定长度的具有特定数据格式的随机数序列和经过编排的随机密钥序列,其特征在于:所述特定数据格式的随机数序列是通过随机性测试的并可以按一定长度分割为多个子密钥的随机数序列;所述经过编排的随机密钥序列由多个通过随机性测试的具有密钥标识的子密钥组成(量子密钥流量由噪声源产生一定量的随机数,随机数在通过随机性测试后按一定长度和格式分割为多个子密钥,并创建相应的密钥标识或编号,QKP包括多个子密钥及其密钥标识,密钥标识包含应用终端ID、所关联的节点ID、密钥编号和密钥数据长度,例如,一个密钥标识为KeyIndex_U1_A_2_1MB,表示该密钥是U1与节点A之间的编号为2的1M字节的共享密 钥)。Further, the above method further includes quantum key traffic, wherein the quantum key traffic comprises a length of a random number sequence having a specific data format and a sequenced random key sequence, characterized in that: the specific data format The random number sequence is a random number sequence that is tested by randomness and can be divided into multiple subkeys by a certain length; the arranged random key sequence is composed of multiple sub-densions with key identification by randomness test Key composition (quantum key traffic generates a certain amount of random numbers from the noise source. After passing the randomness test, the random number is divided into multiple subkeys according to a certain length and format, and a corresponding key identifier or number is created, and QKP includes multiple a sub-key and its key identifier. The key identifier includes an application terminal ID, an associated node ID, a key number, and a key data length. For example, a key identifier is KeyIndex_U1_A_2_1MB, indicating that the key is U1 and node A. The shared key between the number 1 and 1M bytes).
与现有技术相比,本发明具有更灵活、更高效的量子密钥服务方式,并具有以下几方面的显著创新性:Compared with the prior art, the present invention has a more flexible and efficient quantum key service mode, and has significant innovations in the following aspects:
(1)本发明的会话密钥直接由主叫和被叫节点的量子密钥生成,不需要额外的噪声源;效率更高,无性能瓶颈;(1) The session key of the present invention is directly generated by the quantum key of the calling and called nodes, and does not require an additional noise source; the efficiency is higher, and there is no performance bottleneck;
(2)密钥中继采用并发中继方式,中继节点把相邻节点的中继密钥异或值直接发给量子密钥中继服务器,克服了通常的“单跳路由寻址”中继过程的延迟和安全性扩散问题,中继效率更高,安全更高,并且无量子链路规模并发冲突问题;(2) The key relay adopts the concurrent relay mode, and the relay node directly transmits the relay key XOR value of the adjacent node to the quantum key relay server, thereby overcoming the usual "single-hop routing addressing". Following the process delay and security diffusion problem, the relay efficiency is higher, the security is higher, and there is no quantum link size concurrency conflict problem;
本发明在移动保密通信、移动办公系统、工业控制系统(金融、电力、能源、交通等)的网络安全系统等领域中有着十分重要的实际应用价值。The invention has very important practical application value in the fields of mobile secure communication, mobile office systems, network control systems of industrial control systems (finance, electric power, energy, transportation, etc.).
附图说明DRAWINGS
图1为本发明方法的原理示意图;Figure 1 is a schematic diagram of the principle of the method of the present invention;
图2为本发明实施例的应用终端注册和通信流程示意图;2 is a schematic flowchart of an application terminal registration and communication according to an embodiment of the present invention;
图3为本发明实施例的相邻节点间的共享密钥使用方法原理示意图;3 is a schematic diagram of a principle of using a shared key between adjacent nodes according to an embodiment of the present invention;
图4为本发明实施例的量子密钥移动服务方法示意图;4 is a schematic diagram of a quantum key mobility service method according to an embodiment of the present invention;
图5为本发明实施例的具有无线通信功能的密钥数据转发设备的应用原理示意图;FIG. 5 is a schematic diagram of an application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention; FIG.
图6为本发明实施例的具有无线通信功能的密钥数据转发设备的扩展应用原理示意图;6 is a schematic diagram of an extended application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention;
图7为本发明实施例的采用量子密钥流量和本发明方法获取与其它设备之间的共享密钥的设备的应用原理示意图。FIG. 7 is a schematic diagram of an application principle of a device for acquiring a shared key with other devices by using quantum key traffic and the method of the present invention according to an embodiment of the present invention.
为使本发明的技术方案及优点更加清楚,作为本发明的一部分,以下结合附图及具体实施例,对本发明作进一步详细的说明。The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
本发明方案中所涉及的通信信道包括量子服务节点之间的量子密钥分发信道和传统通信网络信道(包括有线和无线网络,其中无线网络包括但不限于4G/5G网络、WIFI、卫星通信网络)、应用终端之间的无线通信网络信道、应用终端与量子服务节点和量子网络管理服务器(量子密钥中继服务器)之间的传统通信网络信道。其中,除了量子密钥分发需要占用量子信道以外,其它网络通信都采用传统通信网络信道,包括有线和无线信道,移动终端与量子服务节点和量子网络管理服务器之间的通信优先选择无线信道。The communication channel involved in the solution of the present invention includes a quantum key distribution channel between quantum service nodes and a traditional communication network channel (including wired and wireless networks, wherein the wireless network includes but is not limited to 4G/5G network, WIFI, satellite communication network a conventional communication network channel between the wireless communication network channel between the application terminals, the application terminal and the quantum service node, and the quantum network management server (quantum key relay server). Among them, in addition to the quantum key distribution needs to occupy the quantum channel, other network communication uses the traditional communication network channel, including wired and wireless channels, and the communication between the mobile terminal and the quantum service node and the quantum network management server preferentially selects the wireless channel.
本发明方案中所涉及的密钥主要包括三部分:(1)相邻量子服务节点(或量子中继节点)之间的共享密钥,它由相邻量子服务节点(或量子中继节点)之间的量子密钥分发系统生成,存储于量子服务节点;(2)应用终端与所关联的量子服务节点之间的量子密钥流量, 它由量子服务节点生成并保存,应用终端通过有线方式下载到存储设备;(3)每次通信时实时协商的会话密钥;这些密钥只使用一次,使用后即删除。The key involved in the solution of the present invention mainly comprises three parts: (1) a shared key between adjacent quantum service nodes (or quantum relay nodes), which is composed of adjacent quantum service nodes (or quantum relay nodes). The quantum key distribution system is generated and stored in the quantum service node; (2) the quantum key traffic between the application terminal and the associated quantum service node, which is generated and saved by the quantum service node, and the application terminal is wired Download to the storage device; (3) Session key negotiated in real time for each communication; these keys are used only once and are deleted after use.
图1所示的本发明实施例以及图1中的标识符号与上述“[0004]”中的相应描述相同,此处不再介绍。下面以应用终端初始注册、两个使用本发明方法的应用终端之间完成一次保密通信的过程为例,说明本发明的详细实施方案。如图2所示,其中,应用终端MT_U和MT_V分别向相邻的QKN_A和QKN_B申请注册并获得量子ID(图2中的过程1,比如,应用终端持有者(可以是个人,或应用终端的生产设备商)首先去保密认证中心办理加入网手续,保密认证中心审核用户的入网申请,如审核通过,则为每一台申请入网的应用终端获取一个由量子网络管理服务器分配的全网内独一无二的量子ID,该量子ID被存储在申请入网的应用终端的永久存储介质中(例如SD密码卡等),并设置一个密码用于获取服务的身份鉴别),分别申请并获得量子密钥流量QKP_AU和QKP_BV(图2中的过程2);The embodiment of the present invention shown in FIG. 1 and the reference symbols in FIG. 1 are the same as the corresponding descriptions in the above-mentioned "[0004]", and are not described here. The detailed embodiment of the present invention will be described below by taking the process of completing the secure communication between the application terminal initial registration and the application terminals using the method of the present invention as an example. As shown in FIG. 2, the application terminals MT_U and MT_V respectively apply for registration and obtain quantum IDs to adjacent QKN_A and QKN_B (process 1 in FIG. 2, for example, an application terminal holder (which may be a personal or application terminal) The production equipment manufacturer first goes to the confidentiality certification center to go through the network registration procedure, and the confidential certification center audits the user's network application. If the application is approved, each application terminal that applies for the network access obtains a network distributed by the quantum network management server. A unique quantum ID, which is stored in a permanent storage medium (such as an SD password card, etc.) of an application terminal that is applied to the network, and sets a password for obtaining identity authentication of the service, respectively, and applies for and obtains quantum key traffic. QKP_AU and QKP_BV (process 2 in Figure 2);
QKN_A和QKN_B分别创建关联应用终端MT_U和MT_V的服务关联列表并上传到量子网络管理服务器(图2中的过程3);其中,服务关联列表由若干条记录组成,每一条记录代表一台已经注册的应用终端的关联信息,其格式包括但不限于如下格式:QKN_A and QKN_B respectively create service association lists of associated application terminals MT_U and MT_V and upload them to the quantum network management server (process 3 in FIG. 2); wherein the service association list is composed of several records, each record representing one registered The associated information of the application terminal, the format of which includes but is not limited to the following format:
Figure PCTCN2018121409-appb-000001
Figure PCTCN2018121409-appb-000001
应用终端MT_U通过传统通信网络向量子网络管理服务器请求与MT_V的会话密钥(图2中的过程4);量子网络管理服务器首先对其进行身份鉴别(比如,要求应用终端输入量子ID和相应的口令,或所关联的量子服务节点ID及业务账户(比如手机号、邮箱)等,如果信息不符,则需要重新输入;如果量子ID不存在或已停用,则需要重新申请或激活),通过身份鉴别后,分别根据应用终端MT_U和MT_V的量子ID查找相应的服务关联列表,并根据服务关联列表查找到所关联的QKN_A和QKN_B;The application terminal MT_U requests the session key with the MT_V through the traditional communication network vector sub-network management server (process 4 in FIG. 2); the quantum network management server first authenticates the identity (for example, requires the application terminal to input the quantum ID and corresponding The password, or the associated quantum service node ID and business account (such as mobile phone number, mailbox), etc., if the information does not match, you need to re-enter; if the quantum ID does not exist or has been deactivated, you need to re-apply or activate) After the identity authentication, the corresponding service association list is searched according to the quantum IDs of the application terminals MT_U and MT_V, and the associated QKN_A and QKN_B are found according to the service association list;
量子网络管理服务器直接指定(图2中的过程5)QKN_A和QKN_B使用二者之间事先缓存的共享量子密钥或实时协商的共享量子密钥Kab(采用图2中的过程6协商共享量子密钥);QKN_A把Kab⊕QKP_AUi及QKP_AUi的密钥标识发给量子密钥中继服务器(图2中的过程7);QKN_B把Kab⊕QKP_BVj及QKP_BVj的密钥标识发给量子密钥中继服务器(图2中的过程7);量子密钥中继服务器计算Kab⊕QKP_AUi⊕Kab⊕QKP_BVj=QKP_AUi⊕QKP_BVj=R;量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U(图2中的过程8),把R和QKP_BVj的密钥标识发给MT_V(图2中的过程8);MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥(图2中的过程9),相应 地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj)。The quantum network management server directly specifies (process 5 in Fig. 2) that QKN_A and QKN_B use a shared quantum key cached in advance or a shared quantum key Kab negotiated in real time (using the process 6 in Fig. 2 to negotiate a shared quantum key) Key); QKN_A sends the key identifiers of Kab⊕QKP_AUi and QKP_AUi to the quantum key relay server (Process 7 in Figure 2); QKN_B sends the key identifiers of Kab⊕QKP_BVj and QKP_BVj to the quantum key relay server (Process 7 in Figure 2); the quantum key relay server calculates Kab⊕QKP_AUi⊕Kab⊕QKP_BVj=QKP_AUi⊕QKP_BVj=R; the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U (Figure Process 8) in 2, the key identification of R and QKP_BVj is sent to MT_V (Process 8 in Figure 2); MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key (Process 9 in Figure 2) Accordingly, MT_V calculates R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj).
需要说明的是,在该实施例中,除了获取量子密钥流量以外的通信过程,应用终端并不需要通过有线连接方式连接QKN或量子网络管理服务器,也不限定应用终端所处的地理位置,但是,需要应用终端与量子网络管理服务器之间、量子网络管理服务器与QKN之间都有传统通信网络(包括有线和无线通信网络)。It should be noted that, in this embodiment, in addition to the communication process other than acquiring the quantum key traffic, the application terminal does not need to connect to the QKN or the quantum network management server through a wired connection, and does not limit the geographical location where the application terminal is located. However, there is a need for a traditional communication network (including wired and wireless communication networks) between the application terminal and the quantum network management server, between the quantum network management server and the QKN.
图3为本发明的相邻节点之间对所使用的量子密钥的密钥标识进行确认的方法实施例,其中,节点C(i-1)(其中,i是大于0的自然数,此处只用于表示不同的节点)向节点Ci发送其所选择的二者之间的共享密钥中的某个共享密钥Ki的密钥标识(图3中的过程1),节点Ci向节点C(i-1)发送选择Ki的确认信息(图3中的过程3);节点Ci向节点C(i+1)发送其所选择的二者之间的共享密钥中的某个共享密钥K(i+1)的密钥标识(图3中的过程2),节点C(i+1)向节点Ci发送选择K(i+1)的确认信息(图3中的过程4)。如果相邻节点之间的量子密钥余量不足,则需要先实时协商一定量的共享量子密钥,然后再协商选择一个子密钥用于当前的密钥中继服务。3 is an embodiment of a method for confirming a key identifier of a quantum key used between adjacent nodes according to the present invention, wherein node C(i-1) (where i is a natural number greater than 0, where Used only to indicate different nodes) to send a key identifier of a shared key Ki among the selected shared keys to the node Ci (process 1 in FIG. 3), the node Ci to the node C (i-1) transmitting confirmation information for selecting Ki (Process 3 in FIG. 3); node Ci transmits to node C(i+1) one of the shared keys between the selected two of them The key identifier of K(i+1) (Process 2 in Fig. 3), the node C(i+1) sends a confirmation message of selection K(i+1) to the node Ci (Process 4 in Fig. 3). If the quantum key margin between adjacent nodes is insufficient, a certain amount of shared quantum key needs to be negotiated in real time, and then a subkey is negotiated to be used for the current key relay service.
图4为本发明实施例的量子密钥移动服务方法示意图,量子网络管理服务器选择3个中继节点QKN_C1、QKN_C2和QKN_C3(量子网络管理服务器首先向QKN_C1、QKN_C2和QKN_C3发送上传各自当前的状态指标的指令,然后,量子网络管理服务器根据收集所述节点的当前状态指标,比如,各个节点的额定量子密钥分发速率、当前正在参与多少个中继任务、与其他节点之间的量子信道是否可用以及相应的中继跳数等,特别是各个节点与相邻节点之间是否存在已缓存的量子密钥或可以实时协商量子密钥的链路,并据此判断得到本次通信中的中继节点),令QKN_A计算R0=QKP_AUi⊕K1,并把计算结果R0及QKP_AUi的密钥标识一起发给量子密钥中继服务器;令QKN_B计算R4=K4⊕QKP_BVj,并把计算结果R4及QKP_BVj的密钥标识一起发给量子密钥中继服务器;令QKN_C1、QKN_C2和QKN_C3分别计算R1=K1⊕K2,R2=K2⊕K3,R3=K3⊕K4,并分别把R1、R2和R3发给量子密钥中继服务器;量子密钥中继服务器计算R=R0⊕R1⊕R2⊕R3⊕R4=QKP_AUi⊕QKP_BVj;量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);MT_U与MT_V采用QKP_AUi(或QKP_BVj)作为该次通信的会话密钥并进行保密通信。4 is a schematic diagram of a quantum key mobility service method according to an embodiment of the present invention. The quantum network management server selects three relay nodes QKN_C1, QKN_C2, and QKN_C3 (the quantum network management server first sends and uploads respective current state indicators to QKN_C1, QKN_C2, and QKN_C3. The instructions, then, the quantum network management server collects the current state metrics of the nodes, such as the nominal quantum key distribution rate of each node, how many relay tasks are currently participating, and whether quantum channels are available between other nodes. And the corresponding number of relay hops, etc., in particular, whether there is a cached quantum key between each node and the adjacent node or a link that can negotiate the quantum key in real time, and according to this, the relay in the current communication is judged. Node), let QKN_A calculate R0=QKP_AUi⊕K1, and send the key identifiers of the calculation results R0 and QKP_AUi together to the quantum key relay server; let QKN_B calculate R4=K4⊕QKP_BVj, and calculate the results R4 and QKP_BVj The key identifier is sent to the quantum key relay server together; let QKN_C1, QKN_C2, and QKN_C3 calculate R1=K1⊕K2, R2=K2, respectively. ⊕K3, R3=K3⊕K4, and send R1, R2, and R3 to the quantum key relay server respectively; the quantum key relay server calculates R=R0⊕R1⊕R2⊕R3⊕R4=QKP_AUi⊕QKP_BVj; quantum The key relay server then sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key, and correspondingly, MT_V Calculate R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj); MT_U and MT_V use QKP_AUi (or QKP_BVj) as the session key for the communication and perform secure communication.
图5为本发明实施例的具有无线通信功能的密钥数据转发设备的应用原理示意图, 其中,移动终端分别是安全手机501和具有无线通信功能的用于直接为固定密码终端导入密钥的安全平板502;安全手机501和安全平板502分别向量子服务节点A503和量子服务节点B504申请了量子密钥流量,安全手机501和安全平板502采用图1中的方法获取共享会话密钥,安全平板502通过专用安全接口(比如单向USB连接线、SD密码卡或无线注入适配器)把该会话密钥注入密码服务器506;FIG. 5 is a schematic diagram of an application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention, wherein the mobile terminal is respectively a secure mobile phone 501 and a wireless communication function for directly importing a key for a fixed password terminal. The tablet 502; the secure mobile phone 501 and the secure tablet 502 respectively apply the quantum key traffic to the vector sub-service node A 503 and the quantum service node B 504, and the secure mobile phone 501 and the secure tablet 502 acquire the shared session key by using the method in FIG. Passing the session key into the password server 506 through a dedicated security interface (such as a one-way USB cable, an SD password card or a wireless injection adapter);
安全手机501利用该会话密钥加密需要上传的数据,并经过VPN网关505上传到密码服务器506,密码服务器506利用该会话密钥解密后上传到企业OA系统507;同理,安全手机501从企业OA系统507下载的数据时,首先,下载的数据需要经过密码服务器506利用该会话密钥加密,然后再经过VPN网关505下载到安全手机501,安全手机501利用该会话密钥解密后得到解密后的数据。采用类似的方法,两个安全手机之间也可以首先获取共享会话密钥并进行保密通信。The secure mobile phone 501 encrypts the data to be uploaded by using the session key, and uploads it to the password server 506 via the VPN gateway 505. The password server 506 decrypts the session key and uploads it to the enterprise OA system 507. Similarly, the secure mobile phone 501 is from the enterprise. When the data is downloaded by the OA system 507, first, the downloaded data needs to be encrypted by the password server 506, and then downloaded to the secure mobile phone 501 via the VPN gateway 505. The secure mobile phone 501 decrypts the session key and decrypts it. The data. In a similar way, the shared session key can be obtained first and securely communicated between the two secure phones.
图6为本发明实施例的具有无线通信功能的密钥数据转发设备的扩展应用原理示意图,其中,具有无线通信功能的用于直接为固定密码终端导入密钥的安全平板601和602,安全平板601和安全平板602分别向量子服务节点A603和量子服务节点B604申请了量子密钥流量,安全平板601和安全平板602采用图1中的方法获取共享会话密钥,并分别通过专用安全接口(比如单向USB连接线、SD密码卡或无线注入适配器)把该会话密钥分别注入密码服务器605和606;工业控制系统A607和工业控制系统B607之间的业务通信基于该共享会话密钥进行加解密。6 is a schematic diagram of an extended application principle of a key data forwarding device with a wireless communication function according to an embodiment of the present invention, wherein a security tablet 601 and 602 for directly importing a key for a fixed password terminal having a wireless communication function, a security tablet The 601 and the security tablet 602 respectively apply the quantum key traffic to the vector sub-service node A 603 and the quantum service node B 604. The security tablet 601 and the security tablet 602 acquire the shared session key by using the method in FIG. 1 and respectively pass the dedicated security interface (for example, The one-way USB cable, the SD cryptographic card or the wireless injection adapter) injects the session key into the cryptographic servers 605 and 606, respectively; the service communication between the industrial control system A 607 and the industrial control system B 607 is encrypted and decrypted based on the shared session key. .
图7为本发明实施例的采用量子密钥流量和本发明方法获取与其它设备之间的共享密钥的设备的应用原理示意图,其中,701和702是分别与密码服务器605和606绑定的移动存储介质,分别用于为密码服务器605和606注入量子密钥流量;密码服务器605和606采用图1中的方法获取共享会话密钥,并基于所述共享会话密钥进行加解密通信。FIG. 7 is a schematic diagram of an application principle of a device for acquiring a shared key with another device by using the quantum key traffic and the method of the present invention, wherein 701 and 702 are respectively bound to the cryptographic servers 605 and 606, respectively. The removable storage medium is used to inject quantum key traffic for the cryptographic servers 605 and 606, respectively; the cryptographic servers 605 and 606 acquire the shared session key using the method of FIG. 1, and perform encryption and decryption communication based on the shared session key.
本发明方法可广泛用于移动保密通信、移动办公系统,也可以用于工业控制系统(金融、电力、能源、交通等)的网络安全系统。The method of the invention can be widely used in mobile secure communication, mobile office systems, and also in network security systems of industrial control systems (financial, electric power, energy, transportation, etc.).
以上所描述的实施例仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中实施例的各种变形和组合可以得到更多的实施例,本领域普通技术人员在未做出创造性劳动前提下所获得的其他直接采用本发明方法的实施例,都属于本发明保护的范围。The embodiments described above are only a part of the embodiments of the invention, and not all of the embodiments. Further embodiments can be obtained based on various modifications and combinations of the embodiments of the present invention, and other embodiments directly employed by those skilled in the art without the inventive work are all of the present invention. The scope of protection.

Claims (10)

  1. 一种低延迟的量子密钥移动服务方法,其特征在于,包括如下步骤:A low-latency quantum key mobile service method, comprising the steps of:
    (1-1)应用终端向量子密钥分发网络中的一个量子服务节点(简称节点,以下记为QKN)申请注册入网,并获得唯一的量子ID;(1-1) Applying a quantum service node (referred to as a node, hereinafter referred to as QKN) in the application terminal vector subkey distribution network to apply for registration into the network, and obtain a unique quantum ID;
    (1-2)已注册应用终端向量子密钥分发网络中的至少一个量子服务节点申请量子密钥流量,并实现该应用终端与该量子服务节点之间的量子密钥流量共享,建立该量子服务节点与该应用终端的服务关联列表;该量子服务节点把该服务关联列表发送到量子密钥分发网络的量子网络管理服务器;(1-2) at least one quantum service node in the registered application terminal vector subkey distribution network applies for quantum key traffic, and realizes quantum key traffic sharing between the application terminal and the quantum service node, and establishes the quantum a service association list of the service node and the application terminal; the quantum service node sends the service association list to a quantum network management server of the quantum key distribution network;
    (1-3)通信业务发起后,应用终端向量子密钥分发网络请求本次通信的会话密钥服务(记该次通信的主叫和被叫应用终端分别为MT_U和MT_V);(1-3) After the communication service is initiated, the application terminal vector subkey distribution network requests the session key service of the current communication (the calling and called application terminals of the communication are respectively MT_U and MT_V);
    (1-4)量子密钥分发网络中的量子网络管理服务器收到所述请求后,分别根据应用终端MT_U和MT_V的量子ID查找相应的服务关联列表,并得到所关联的主叫量子服务节点(记为QKN_A)和被叫量子服务节点(记为QKN_B)(假定MT_U使用其与QKN_A共享的量子密钥流量中的一个子密钥QKP_AUi(i不大于量子密钥流量中子密钥的数量的自然数),MT_V使用其与QKN_B共享的量子密钥流量中的一个子密钥QKP_BVi(i不大于量子密钥流量中子密钥的数量的自然数),以及参与该次会话密钥服务的中继节点的地址;(1-4) After receiving the request, the quantum network management server in the quantum key distribution network searches for the corresponding service association list according to the quantum IDs of the application terminals MT_U and MT_V, respectively, and obtains the associated calling quantum service node. (denoted as QKN_A) and called quantum service node (denoted as QKN_B) (assuming MT_U uses a subkey QKP_AUi in the quantum key traffic shared with QKN_A (i is not greater than the number of subkeys in quantum key traffic) Natural number), MT_V uses one of the quantum key traffic shared with QKN_B QKP_BVi (i is not greater than the natural number of the number of subkeys in the quantum key traffic), and participates in the session key service Following the address of the node;
    (1-5)量子网络管理服务器根据所存储的中继路由表和相关量子服务节点的当前状态指标,量子网络管理服务器进行如下操作:(1-5) The quantum network management server performs the following operations according to the stored relay routing table and the current state indicator of the associated quantum service node:
    (1-5-1)如果MT_U和MT_V关联同一个量子服务节点QKN_A(即QKN_A与QKN_B是同一个量子服务节点),则,量子网络管理服务器直接指定QKN_A提供该次会话密钥服务;QKN_A分别选择MT_U和MT_V的子密钥QKP_AUi和QKP_BVj,并计算R=QKP_AUi⊕QKP_BVj(其中,⊕是异或运算,i与j可以相同也可以不同,下同);QKN_A把R以及QKP_AUi和QKP_BVj的密钥标识发给量子密钥中继服务器,量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);(1-5-1) If MT_U and MT_V are associated with the same quantum service node QKN_A (ie, QKN_A and QKN_B are the same quantum service node), the quantum network management server directly specifies QKN_A to provide the session key service; QKN_A respectively Select subkeys QKP_AUi and QKP_BVj of MT_U and MT_V, and calculate R=QKP_AUi⊕QKP_BVj (where ⊕ is an exclusive OR operation, i and j may be the same or different, the same below); QKN_A puts R and QKP_AUi and QKP_BVj dense The key identifier is sent to the quantum key relay server, and the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as a shared session key, correspondingly, MT_V calculates R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj);
    (1-5-2)如果QKN_A和QKN_B是存在点到点量子密钥分发连接的相邻节点,则,量子网络管理服务器直接指定QKN_A和QKN_B使用二者之间事先缓存的共享量子密钥或实时协商的共享量子密钥Kab;QKN_A把Kab⊕QKP_AUi及QKP_AUi的密钥标识发给量子密钥中继服务器;QKN_B把Kab⊕QKP_BVj及QKP_BVj的密钥标识发给量子密钥中继服务器;量子密钥中继服务器计算R=Kab⊕QKP_AUi⊕Kab⊕QKP_BVj=QKP_AUi⊕QKP_BVj;量 子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);(1-5-3)如果QKN_A和QKN_B是不相邻的两个量子服务节点,则,量子网络管理服务器选择参与量子密钥中继的n(n是大于0的自然数)个中继节点,并令所述每一个中继节点计算其与两个相邻节点之间的共享量子密钥的异或值,并发送到量子密钥中继服务器;(1-5-2) If QKN_A and QKN_B are adjacent nodes where a point-to-point quantum key distribution connection exists, the quantum network management server directly specifies QKN_A and QKN_B to use a previously shared shared quantum key or Real-time negotiated shared quantum key Kab; QKN_A sends the key identifiers of Kab⊕QKP_AUi and QKP_AUi to the quantum key relay server; QKN_B sends the key identifiers of Kab⊕QKP_BVj and QKP_BVj to the quantum key relay server; The key relay server calculates R=Kab⊕QKP_AUi⊕Kab⊕QKP_BVj=QKP_AUi⊕QKP_BVj; the quantum key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V. MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key. Accordingly, MT_V calculates R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj); (1-5-3) if QKN_A and QKN_B are If two quantum service nodes are not adjacent, the quantum network management server selects n (n is a natural number greater than 0) relay nodes participating in the quantum key relay, and causes each of the relay nodes to calculate the same Two adjacent nodes The XOR value of the shared quantum key and sent to the quantum key relay server;
    假定参与该次中继的全部量子服务节点依次记为QKN_A、…、QKN_Ci、…、QKN_B(其中,i是自然数,且0<i<n+1,当有一个中继节点时,n=1,i=1;当有两个中继节点时,n=2,i=1、2,以此类推),假定所述节点的相邻节点之间依次选择K1、…、Ki、…、K(n+1)作为该次中继服务的量子密钥,其中,K1是QKN_A与QKN_C1的共享量子密钥,Ki是QKN_C(i-1)与QKN_Ci的共享量子密钥(其中,1<i<n+1),K(n+1)是QKN_Cn与QKN_B的共享量子密钥,相邻节点之间对所使用的量子密钥的密钥标识进行确认并使用相同密钥标识的量子密钥;It is assumed that all quantum service nodes participating in the relay are sequentially recorded as QKN_A, ..., QKN_Ci, ..., QKN_B (where i is a natural number and 0 < i < n + 1, when there is a relay node, n = 1 , i=1; when there are two relay nodes, n=2, i=1, 2, and so on), assuming that K1, ..., Ki, ..., K are sequentially selected between adjacent nodes of the node (n+1) as the quantum key of the secondary relay service, where K1 is a shared quantum key of QKN_A and QKN_C1, and Ki is a shared quantum key of QKN_C(i-1) and QKN_Ci (where 1<i <n+1), K(n+1) is a shared quantum key of QKN_Cn and QKN_B, and the key identifier of the used quantum key is confirmed between adjacent nodes and the quantum key identified by the same key is used. ;
    量子网络管理服务器令QKN_A计算R0=QKP_AUi⊕K1,并把计算结果R0及QKP_AUi的密钥标识一起发给量子密钥中继服务器;令QKN_B计算R(n+1)=K(n+1)⊕QKP_BVj,并把计算结果R(n+1)及QKP_BVj的密钥标识一起发给量子密钥中继服务器;分别令节点QKN_Ci计算其与所述两个相邻节点之间的两个共享量子密钥的异或运算(记为⊕)值,即节点QKN_Ci计算Ri=Ki⊕K(i+1),并分别把计算结果Ri及其相应节点QKN_Ci的ID一起发给量子密钥中继服务器(其中,i是自然数,且0<i<n+1);如果在限定的时间内量子密钥中继服务器没有接收到某些节点的计算结果,则量子密钥中继服务器请求相应节点重发相应的计算结果,直到接收到所述n+2个异或运算结果;量子密钥中继服务器对所述n+2个异或运算结果再一起进行异或运算,即,计算R=R0⊕R1⊕…Ri…⊕Rn⊕R(n+1)=QKP_AUi⊕QKP_BVj(其中,i是自然数,且0<i<n);量子密钥中继服务器再把R和QKP_AUi的密钥标识发给MT_U,把R和QKP_BVj的密钥标识发给MT_V;MT_U与MT_V协商使用QKP_AUi(或QKP_BVj)作为共享会话密钥,相应地,MT_V计算R⊕QKP_BVj=QKP_AUi(或MT_U计算R⊕QKP_AUi=QKP_BVj);The quantum network management server causes QKN_A to calculate R0=QKP_AUi⊕K1, and sends the key identifiers of the calculation results R0 and QKP_AUi to the quantum key relay server together; let QKN_B calculate R(n+1)=K(n+1) ⊕QKP_BVj, and send the key identifiers of the calculation results R(n+1) and QKP_BVj together to the quantum key relay server; respectively, let the node QKN_Ci calculate the two shared quantum between the two adjacent nodes The XOR operation of the key (denoted as ⊕), that is, the node QKN_Ci calculates Ri=Ki⊕K(i+1), and sends the calculation result Ri and the ID of its corresponding node QKN_Ci to the quantum key relay server, respectively. (where i is a natural number and 0<i<n+1); if the quantum key relay server does not receive the calculation result of some nodes within a limited time, the quantum key relay server requests the corresponding node to Corresponding calculation results are sent until the n+2 XOR operation results are received; the quantum key relay server performs an exclusive OR operation on the n+2 XOR operation results, that is, calculates R=R0 ⊕R1⊕...Ri...⊕Rn⊕R(n+1)=QKP_AUi⊕QKP_BVj (where i is a natural number and 0<i<n); The sub-key relay server sends the key identifiers of R and QKP_AUi to MT_U, and sends the key identifiers of R and QKP_BVj to MT_V; MT_U negotiates with MT_V to use QKP_AUi (or QKP_BVj) as the shared session key, and accordingly, MT_V calculates R⊕QKP_BVj=QKP_AUi (or MT_U calculates R⊕QKP_AUi=QKP_BVj);
    (1-6)MT_U与MT_V使用步骤(1-5)得到的会话密钥,通过该类通信业务原有的数据链路进行保密通信。(1-6) The MT_U and the MT_V use the session key obtained in the step (1-5) to perform secure communication through the original data link of the communication service.
  2. 根据权利要求1所述的方法,其特征在于,所述步骤(1-2)中的服务关联列表的内容包括:应用终端的量子ID、验证密码、关联量子服务节点的地址、业务账号标识;其中,已注册 应用终端的量子ID在整个量子密钥分发网络中是唯一的;所述验证密码用于应用终端连接量子密钥分发网络时的身份确认;所述业务账号标识是该应用终端及量子密钥分发网络所支持的各类通信业务的账号集合,它包含一项或多项不同业务的账号。The method according to claim 1, wherein the content of the service association list in the step (1-2) comprises: a quantum ID of the application terminal, a verification password, an address of the associated quantum service node, and a service account identifier; The quantum ID of the registered application terminal is unique in the entire quantum key distribution network; the verification password is used for identity confirmation when the application terminal connects to the quantum key distribution network; the service account identifier is the application terminal and A collection of accounts for various types of communication services supported by a quantum key distribution network, which contains one or more accounts for different services.
  3. 根据权利要求1所述的方法,所述量子网络管理服务器,其特征在于:The method of claim 1 wherein said quantum network management server is characterized by:
    (3-1)存储、维护和查询量子服务节点与应用终端之间的服务关联列表和中继路由表;(3-1) storing, maintaining, and querying a service association list and a relay routing table between the quantum service node and the application terminal;
    (3-2)维护与各量子服务节点间的经典网络连接;(3-2) Maintaining a classic network connection with each quantum service node;
    (3-3)根据收到的中继请求信息,向量子密钥中继服务器发送中继服务指令;(3-3) the vector sub-key relay server sends a relay service command according to the received relay request information;
    (3-4)对参与可信中继的各节点的当前状态指标进行汇总,判断得到参与中继的节点;(3-4) summarizing the current state indicators of the nodes participating in the trusted relay, and determining the nodes participating in the relay;
    (3-5)与量子服务节点通信,向量子服务节点发送指令。(3-5) Communicating with the quantum service node, the vector sub-service node sends an instruction.
  4. 根据权利要求1所述的方法,所述量子密钥中继服务器,其特征在于:实时响应量子网络管理服务器的指令,接收中继节点的中继相关数据,向源节点和目标节点发送中继密钥相关数据。The method according to claim 1, wherein the quantum key relay server is configured to: in response to an instruction of the quantum network management server, receive relay related data of the relay node, and send a relay to the source node and the target node. Key related data.
  5. 根据权利要求1所述的方法,所述量子服务节点包括量子密钥分发(简称QKD)系统、量子密钥服务器和安全存储服务器,其特征在于:The method of claim 1, the quantum service node comprising a quantum key distribution (QKD) system, a quantum key server, and a secure storage server, wherein:
    (5-1)所述QKD系统包括一台或多台QKD收发一体机或QKD的发送端和/或接收端,一个量子服务节点的QKD与其它存在点到点量子信道连接的相邻量子服务节点的QKD都可以组成至少一套量子密钥分发系统;(5-1) The QKD system includes one or more QKD transceivers or QKD transmitters and/or receivers, a quantum service node QKD and other adjacent quantum services with point-to-point quantum channel connections. The QKD of the node can form at least one set of quantum key distribution systems;
    (5-2)所述量子密钥服务器用于为应用终端提供注册服务和量子密钥流量服务并创建相应的服务关联列表,还用于响应量子网络管理服务器的指令并上报节点状态信息和提供可信中继服务;还用于把用户注册信息和服务关联列表发送给量子网络管理服务器;还用于协商确认与相邻节点所使用的量子密钥;(5-2) the quantum key server is configured to provide a registration service and a quantum key traffic service for the application terminal and create a corresponding service association list, and is further configured to respond to the instruction of the quantum network management server and report the node status information and provide The trusted relay service is also used to send the user registration information and the service association list to the quantum network management server; and is also used for negotiating and confirming the quantum key used by the adjacent node;
    (5-3)所述安全存储服务器用于缓存所述QKD系统与其它存在直接连接关系的相邻量子服务节点的QKD系统之间协商的量子密钥,还用于存储与所服务应用终端之间的共享量子密钥流量。(5-3) The secure storage server is configured to cache a quantum key negotiated between the QKD system and other QKD systems of adjacent quantum service nodes having a direct connection relationship, and is also used to store and serve the application terminal. Shared quantum key traffic between.
  6. 根据权利要求1所述的方法,所述步骤(1-4)中量子网络管理服务器得到参与该次会话密钥服务的中继节点的地址的方法,其特征在于:The method according to claim 1, wherein the quantum network management server in the step (1-4) obtains an address of a relay node participating in the session key service, and is characterized by:
    量子网络管理服务器根据所接收到的主叫应用终端与被叫应用终端的量子ID,查找相应的服务关联列表,得到本次通信中的主叫量子服务节点地址和被叫量子服务节点地址;然后再查询所存储的中继路由表,得到本次通信中主叫量子服务节点与被叫量子服务节点间各个中继量子服务节点的地址。The quantum network management server searches for the corresponding service association list according to the received quantum IDs of the calling application terminal and the called application terminal, and obtains the address of the calling quantum service node and the called quantum service node address in the current communication; The stored relay routing table is further queried to obtain the address of each relay quantum service node between the calling quantum service node and the called quantum service node in the current communication.
  7. 根据权利要求1所述的方法,其特征在于,如果某个已注册应用终端从多个量子服务节点获取了量子密钥流量,并且都存在着服务关联关系且保存有相应的多个服务关联列表,则,所述应用终端对所述多个服务关联列表按优先级进行排序,并优先按照所述排序选择所关联的量子服务节点并使用相应的量子密钥流量。The method according to claim 1, wherein if a registered application terminal acquires quantum key traffic from a plurality of quantum service nodes, and both have a service association relationship and a corresponding plurality of service association lists are saved Then, the application terminal sorts the plurality of service association lists by priority, and preferentially selects the associated quantum service nodes according to the order and uses corresponding quantum key traffic.
  8. 根据权利要求1所述的方法,所述步骤(1-5)中的“中继路由表”,其特征在于:The method according to claim 1, wherein the "relay routing table" in the step (1-5) is characterized by:
    (8-1)中继路由表由若干条记录组成,每一条记录的内容包括:本机地址、目标地址和下一跳地址;(8-1) The relay routing table is composed of a plurality of records, and the contents of each record include: a local address, a destination address, and a next hop address;
    (8-2)量子密钥分发网络的各个量子服务节点中都保存有自己的中继路由表;(8-2) Each quantum service node of the quantum key distribution network stores its own relay routing table;
    (8-3)量子网络管理服务器中存储有每个量子服务节点的当前中继路由表;(8-3) a current relay routing table of each quantum service node is stored in the quantum network management server;
    (8-4)量子密钥分发网络的拓扑结构变化后,会话密钥中继路由表也随之更新。(8-4) After the topology of the quantum key distribution network changes, the session key relay routing table is also updated.
  9. 根据权利要求1或权利要求3所述的方法,所述量子服务节点的当前状态指标,其特征在于:The method according to claim 1 or claim 3, wherein the current state indicator of the quantum service node is characterized by:
    (9-1)反映该量子服务节点当前负担的中继任务的繁重状态的指标,该指标是一个量化的指标,包括:(9-1) An indicator reflecting the heavy state of the relay task currently burdened by the quantum service node, which is a quantitative indicator, including:
    (9-1-1)该量子服务节点的额定量子密钥分发速率;(9-1-1) a nominal quantum key distribution rate of the quantum service node;
    (9-1-2)该量子服务节点当前正在参与多少个中继任务,各个中继任务的量子密钥消耗速率;(9-2)反映该量子服务节点在量子密钥分发网络中当前所处的位置状态的指标,该指标是一个量化的指标,包括:(9-1-2) how many relay tasks the quantum service node is currently participating in, the quantum key consumption rate of each relay task; (9-2) reflecting the current location of the quantum service node in the quantum key distribution network An indicator of the positional state of the indicator, which is a quantitative indicator, including:
    (9-2-1)该量子服务节点与其他多少个量子服务节点之间存在有效的量子信道并能够进行量子密钥协商;(9-2-1) There is an effective quantum channel between the quantum service node and how many other quantum service nodes, and quantum key negotiation is possible;
    (9-2-2)该量子服务节点与其他量子服务节点间的跳数。(9-2-2) The number of hops between the quantum service node and other quantum service nodes.
  10. 根据权利要求1所述的方法,所述应用终端包括具有无线通信功能的智能便携通信设备、具有无线通信功能的密钥数据转发设备、采用量子密钥流量和权利要求1所述的方法获取与其它设备之间的共享密钥的设备,其特征在于:The method according to claim 1, wherein the application terminal comprises an intelligent portable communication device having a wireless communication function, a key data forwarding device having a wireless communication function, using quantum key traffic, and the method of claim 1 to acquire A device for sharing a key between other devices, which is characterized by:
    (10-1)所述具有无线通信功能的智能便携通信设备用于采用所述方法获得的会话密钥进行业务数据加解密通信;(10-1) The intelligent portable communication device having a wireless communication function is configured to perform service data encryption and decryption communication using a session key obtained by the method;
    (10-2)所述具有无线通信功能的密钥数据转发设备用于把采用所述方法获得的会话密钥再转发给其它加密通信设备,并用于所述其它加密通信设备之间的业务数据加解密通信;(10-2) The key data forwarding device having a wireless communication function is configured to forward the session key obtained by the method to another encrypted communication device and use the service data between the other encrypted communication devices. Encryption and decryption communication;
    (10-3)所述采用量子密钥流量和权利要求1所述的方法获取与其它设备之间的共享密钥的设备的特征在于,所述设备利用离线途径获得量子密钥流量,并采用所述方法与其它设备协 商共享密钥,并基于所述共享密钥进行加密通信。(10-3) The apparatus for acquiring a shared key with another device by using the quantum key traffic and the method of claim 1 is characterized in that the device obtains quantum key traffic by using an offline route, and adopts The method negotiates a shared key with other devices and performs encrypted communication based on the shared key.
PCT/CN2018/121409 2017-12-29 2018-12-17 Quantum key mobile service method with low delay WO2019128753A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711466178.5A CN109995513B (en) 2017-12-29 2017-12-29 Low-delay quantum key mobile service method
CN201711466178.5 2017-12-29

Publications (1)

Publication Number Publication Date
WO2019128753A1 true WO2019128753A1 (en) 2019-07-04

Family

ID=67066569

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/121409 WO2019128753A1 (en) 2017-12-29 2018-12-17 Quantum key mobile service method with low delay

Country Status (2)

Country Link
CN (1) CN109995513B (en)
WO (1) WO2019128753A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601835A (en) * 2019-09-30 2019-12-20 南方电网调峰调频发电有限公司信息通信分公司 Quantum security gateway key online updating method
US20220294616A1 (en) * 2021-03-15 2022-09-15 evolutionQ System and Method for Optimizing the Routing of Quantum Key Distribution (QKD) Key Material in A Network

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112367163B (en) * 2019-09-01 2023-09-26 成都量安区块链科技有限公司 Quantum network virtualization method and device
CN112367160B (en) * 2019-09-01 2023-09-26 成都量安区块链科技有限公司 Virtual quantum link service method and device
CN110557253B (en) * 2019-10-14 2023-06-06 成都量安区块链科技有限公司 Relay route acquisition method, device and application system
CN111211895B (en) * 2019-12-18 2022-05-24 北京邮电大学 Key analysis processing method and device and key distribution randomness detection system
CN113132090B (en) * 2019-12-31 2023-05-09 科大国盾量子技术股份有限公司 System for sharing quantum key and secret communication method based on system
CN111262699A (en) * 2020-03-03 2020-06-09 成都量安区块链科技有限公司 Quantum security key service method and system
CN111786782A (en) * 2020-06-30 2020-10-16 全球能源互联网研究院有限公司 Power-dedicated 2M link terminal equipment and encryption and decryption method of 2M link data
CN114389794A (en) * 2020-10-16 2022-04-22 中创为(成都)量子通信技术有限公司 Quantum cloud key negotiation method, device and system, quantum and quantum cloud server
CN112887086B (en) * 2021-01-19 2022-07-22 北京邮电大学 Quantum key synchronization method and system
CN113193958B (en) * 2021-05-10 2023-07-07 成都量安区块链科技有限公司 Quantum key service method and system
CN113691313A (en) * 2021-07-04 2021-11-23 河南国科量子通信网络有限公司 Satellite-ground integrated quantum key link virtualization application service system
CN113489586B (en) * 2021-07-26 2023-01-31 河南国科量子通信网络有限公司 VPN network system compatible with quantum key negotiation
CN114095183B (en) * 2022-01-23 2022-05-03 杭州字节信息技术有限公司 Client dual authentication method, terminal equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789052A (en) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 A kind of remote cipher key based on quantum communication network issues system and its application method
CN106972922A (en) * 2013-06-08 2017-07-21 科大国盾量子技术股份有限公司 A kind of mobile secret communication method based on quantum key distribution network
CN107147492A (en) * 2017-06-01 2017-09-08 浙江九州量子信息技术股份有限公司 A kind of cipher key service System and method for communicated based on multiple terminals

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104092538B (en) * 2014-07-15 2017-04-12 华南师范大学 Multi-user wavelength division multiplexing QKD network system and secret key distributing and sharing method thereof
CN104219042A (en) * 2014-07-24 2014-12-17 安徽问天量子科技股份有限公司 Quantum key distribution central control device and quantum key distribution central control method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106972922A (en) * 2013-06-08 2017-07-21 科大国盾量子技术股份有限公司 A kind of mobile secret communication method based on quantum key distribution network
CN106789052A (en) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 A kind of remote cipher key based on quantum communication network issues system and its application method
CN107147492A (en) * 2017-06-01 2017-09-08 浙江九州量子信息技术股份有限公司 A kind of cipher key service System and method for communicated based on multiple terminals

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110601835A (en) * 2019-09-30 2019-12-20 南方电网调峰调频发电有限公司信息通信分公司 Quantum security gateway key online updating method
US20220294616A1 (en) * 2021-03-15 2022-09-15 evolutionQ System and Method for Optimizing the Routing of Quantum Key Distribution (QKD) Key Material in A Network
US11652619B2 (en) * 2021-03-15 2023-05-16 Evolutionq Inc. System and method for optimizing the routing of quantum key distribution (QKD) key material in a network

Also Published As

Publication number Publication date
CN109995513B (en) 2020-06-19
CN109995513A (en) 2019-07-09

Similar Documents

Publication Publication Date Title
WO2019128753A1 (en) Quantum key mobile service method with low delay
CN109995510B (en) Quantum key relay service method
CN108462573B (en) Flexible quantum secure mobile communication method
WO2019128785A1 (en) Quantum key relay method
US8386772B2 (en) Method for generating SAK, method for realizing MAC security, and network device
KR101019300B1 (en) Method and system for secure processing of authentication key material in an ad hoc wireless network
JP3263878B2 (en) Cryptographic communication system
US11736304B2 (en) Secure authentication of remote equipment
CN102035845B (en) Switching equipment for supporting link layer secrecy transmission and data processing method thereof
CN108540436B (en) Communication system and communication method for realizing information encryption and decryption transmission based on quantum network
CN109995514A (en) A kind of safe and efficient quantum key Information Mobile Service method
CN109995511A (en) A kind of mobile secret communication method based on quantum key distribution network
WO2019062862A1 (en) Parameter protection method, device and system
CN111342952B (en) Safe and efficient quantum key service method and system
CN208986966U (en) A kind of ciphering terminal and corresponding data transmission system
WO2011095039A1 (en) Method, system and device for negotiating end-to-end session key
KR20180130203A (en) APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME
CN102905199B (en) A kind of multicast service realizing method and equipment thereof
Sudarsono et al. An implementation of secure data exchange in wireless delay tolerant network using attribute-based encryption
WO2022027476A1 (en) Key management method and communication apparatus
US11233727B1 (en) System and method for securing SDN based source routing
KR20240002666A (en) Method, system and non-transitory computer-readable recording medium for providing messenger service
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices
KR100686736B1 (en) The method of joining in the mobile ad-hoc network through the authentication
CN109361684B (en) Dynamic encryption method and system for VXLAN tunnel

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18897231

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18897231

Country of ref document: EP

Kind code of ref document: A1