WO2023221856A1 - Quantum secure communication method and device, quantum password service network, and communication system - Google Patents

Quantum secure communication method and device, quantum password service network, and communication system Download PDF

Info

Publication number
WO2023221856A1
WO2023221856A1 PCT/CN2023/093515 CN2023093515W WO2023221856A1 WO 2023221856 A1 WO2023221856 A1 WO 2023221856A1 CN 2023093515 W CN2023093515 W CN 2023093515W WO 2023221856 A1 WO2023221856 A1 WO 2023221856A1
Authority
WO
WIPO (PCT)
Prior art keywords
quantum
key
random number
quantum key
destination
Prior art date
Application number
PCT/CN2023/093515
Other languages
French (fr)
Chinese (zh)
Inventor
田野
何申
粟栗
杜海涛
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2023221856A1 publication Critical patent/WO2023221856A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic

Definitions

  • the present disclosure relates to the field of communication technology, and in particular refers to a quantum secure communication method and device, a quantum cryptography service network and a quantum secure communication system.
  • quantum secure communication networks are showing a massive, heterogeneous, and diversified development trend.
  • traditional basic communication network based on wired methods (for example, divided from different dimensions, it can include: wide area network, metropolitan area network, backbone network, aggregation network, access network, bearer network, transmission network, etc.), quantum secure communication technology needs to be adopted.
  • wireless Mobile communication networks with wireless technologies such as Wireless Fidelity (WiFi) also need to be combined with quantum security technology to achieve confidential communication between base stations/hotspots, mobile terminals, and devices, thereby achieving "end-edge-management- The goal is to achieve high-security data secure transmission on the end-to-end transmission path of the cloud and comprehensively improve the information security level of the network system.
  • WiFi Wireless Fidelity
  • the purpose of this disclosure is to provide a quantum secure communication method and device, a quantum cryptographic service network and a quantum secure communication system to solve the problem that the quantum secure communication method in related technologies cannot meet the application of quantum cryptography by diversified businesses and large-scale users in the future. need.
  • a quantum secure communication method including:
  • the first device obtains the first quantum key and/or the first quantum random number from the first network, or obtains the first quantum key and/or the first quantum random number locally;
  • a second quantum key and/or a second quantum random number are provided to the second device.
  • the method also includes:
  • the first device determines whether the second device at the destination belongs to a node in this area.
  • the first device determines whether the second device at the destination belongs to the node in the local area, including:
  • the first device receives the first message sent by the second device at the source end; the first message carries device-related information of the second device at the destination end;
  • providing the second quantum key and/or the second quantum random number to the second device includes:
  • a second quantum key and/or a second quantum random number are provided for the second device at the source end and the second device at the destination end.
  • providing a second quantum key and/or a second quantum random number to a plurality of second devices includes:
  • the first device directly provides the second quantum key and/or the second quantum random number to the second source device and the second destination device;
  • the first device only provides the second quantum key and/or the second quantum random number to some of the second devices, causing the part of the second devices to send the second quantum key and/or the second quantum key to other second devices participating in the communication. /or second quantum random number.
  • said providing a second quantum key and/or a second quantum random number includes:
  • encrypting the second quantum key and/or the second quantum random number corresponding to each second device respectively includes:
  • the first key is a symmetric key between the first device and each second device;
  • the method also includes:
  • the first device receives the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, key-related information of the second device at the destination end, first identification;
  • a second quantum key and/or a second quantum random number, and the first identification are provided to the second device at the source end and/or the second device at the destination end.
  • the provision of the second quantum key and/or the second quantum random number, and the first identification to the source second device and/or the destination second device include one of the following:
  • a second quantum key and/or a second quantum random number and the first identification are provided to the source-side second device and the destination-side second device.
  • the first device obtains the first quantum key and/or the first quantum random number from the first network, including:
  • the first device receives a second message sent by the second device at the source end for requesting a quantum key
  • the first quantum key is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
  • the method also includes:
  • the first device determines that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current cache pool cannot meet the usage requirements.
  • the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
  • the method also includes:
  • the first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
  • providing the second quantum key and/or the second quantum random number to the second device includes:
  • the method also includes:
  • the third message carries the second identifier.
  • the third device when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  • the method also includes:
  • the first device receives a second message sent by the second device at the source end for requesting a quantum key
  • the method also includes:
  • the first device stores the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool;
  • the first quantum key in the cache pool is obtained through negotiation between the first KM and the second KM in the QKD network.
  • the method also includes:
  • the first device determines to obtain the first quantum key from the cache pool.
  • the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
  • the method also includes:
  • the first device obtains the second identity according to the second message, or the first device allocates the second identity for this key service.
  • providing the second quantum key and/or the second quantum random number to the second device includes:
  • the method also includes:
  • the third message carries the second identifier.
  • the third device when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  • the third message carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  • the third identifier is used for:
  • the third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
  • the method also includes:
  • providing the second quantum key and/or the second quantum random number to the second device includes:
  • a second quantum key and/or a second quantum random number are provided to the second device for use by the second device for security applications.
  • the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, an encrypted storage key, and an authentication key, and are used by the second equipment used.
  • providing the second quantum key and/or the second quantum random number to the second device includes at least one of the following situations:
  • An embodiment of the present disclosure also provides a quantum secure communication device, including:
  • a processing module configured to obtain the first quantum key and/or the first quantum random number from the first network, or obtain the first quantum key and/or the first quantum random number locally;
  • a sending module configured to provide the second quantum key and/or the second quantum random number to the second device.
  • An embodiment of the present disclosure also provides a device, including a memory, a processor, and a program stored on the memory and executable on the processor. When the processor executes the program, the above method is implemented.
  • Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, the steps in the above method are implemented.
  • Embodiments of the present disclosure also provide a quantum secure communication method, including;
  • the receiving the first quantum key and/or the first quantum random number sent by the second KM in the QKD network includes:
  • the method also includes:
  • the third message also carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  • the method also includes:
  • the third device obtains the corresponding first quantum key and/or first quantum random number from the buffer pool according to the third identification.
  • the method also includes:
  • a third identification is sent to the first device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
  • providing the second quantum key and/or the second quantum random number to the second device at the destination includes:
  • the third message carries the second identifier.
  • providing the second quantum key and/or the second quantum random number to the second device at the destination includes:
  • the third device provides the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
  • the third device when receiving the fifth message carrying the second identifier sent by the second device at the destination, the third device provides the second quantum key and/or the second quantum key at the destination according to the second identifier. Second quantum random number.
  • An embodiment of the present disclosure also provides a quantum secure communication device, including:
  • a receiving unit configured to receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or to obtain the first quantum key and/or the first quantum random number from the buffer pool;
  • a sending unit configured to provide the second quantum key and/or the second quantum random number to the second device at the destination.
  • An embodiment of the present disclosure also provides a device, including a memory, a processor, and a program stored on the memory and executable on the processor. When the processor executes the program, the above method is implemented.
  • Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, the steps in the method as described above are implemented.
  • Embodiments of the present disclosure also provide a quantum cryptography service network, including several first devices as described above, and/or several third devices as described above.
  • Embodiments of the present disclosure also provide a quantum secure communication system, including: the quantum cryptography service network, the first network and the user network as described above.
  • quantum cryptography service network and quantum secure communication system of the embodiments of the present disclosure the integration and docking of the user network and the first network are realized in a loosely coupled manner through the first device, thereby meeting the requirements of future networks and services.
  • Figure 1 shows a schematic structural diagram of a quantum secure communication network in current technology
  • Figure 2 shows one of the step flow charts of the quantum secure communication method provided by the embodiment of the present disclosure
  • Figure 3 shows the second step flow chart of the quantum secure communication method provided by the embodiment of the present disclosure
  • Figure 4 shows a schematic structural diagram of a quantum secure communication system provided by an embodiment of the present disclosure
  • Figure 5 shows a schematic diagram of the service area of the quantum cryptography service center provided by the embodiment of the present disclosure
  • Figure 6 shows an example diagram of a quantum secure communication method provided by an embodiment of the present disclosure
  • Figure 7 shows the third step flow chart of the quantum secure communication method provided by the embodiment of the present disclosure.
  • Figure 8 shows a schematic diagram of local quantum cryptography services and quantum secure communication processing in an embodiment of the present disclosure
  • Figure 9 shows one of the schematic diagrams of cross-region quantum cryptography service and quantum secure communication processing in an embodiment of the present disclosure
  • Figure 10 shows the second schematic diagram of cross-regional quantum cryptography service and quantum secure communication processing in the embodiment of the present disclosure
  • Figure 11 shows one of the structural schematic diagrams of the quantum secure communication device provided by an embodiment of the present disclosure
  • Figure 12 shows a schematic structural diagram of the first device provided by an embodiment of the present disclosure
  • Figure 13 shows the second structural schematic diagram of the quantum secure communication device provided by the embodiment of the present disclosure
  • Figure 14 shows a schematic structural diagram of a third device provided by an embodiment of the present disclosure.
  • a current quantum secure communication network consists of a Quantum Key Distribution (QKD) network that provides key distribution capabilities and a user network that uses keys distributed by the QKD network to implement cryptographic applications.
  • the QKD network part includes the quantum layer, key management layer, QKD Network (QKDN, QKDN) control layer and QKDN network management layer.
  • the user network part includes the application layer and the user network management layer.
  • the QKDN key management layer is a bridge connecting the QKD network and the user network (the QKDN network management layer and the user network network management layer are also connected through the Mu reference point, but they belong to the management plane and are not within the scope of this patent). It is responsible for receiving and storing the quantum keys generated by the quantum layer QKD module and managing the entire life cycle; completing the long-distance relay of quantum keys and realizing QKD end-to-end key distribution; passing through the Ak reference point/Ak interface.
  • the quantum keys generated by the QKD network and synchronized at both ends of the communication are provided to the applications of the user network, so that the applications on both sides of the communication can use the quantum keys provided by the QKD network to achieve secure communication.
  • the Ak reference point is very critical. It is responsible for connecting the cryptographic application (Application, APP) and the key supply agent (KSA) function module of the key management layer. Its main function is to be responsible for the communication between the cryptographic application and the KSA. Mutual authentication, and KSA provide quantum keys to cryptographic applications.
  • the embodiment of the present disclosure provides a quantum secure communication method, as shown in Figure 2, including:
  • the first device obtains the first quantum key and/or the first quantum random number locally;
  • the first device here may be a Key Manager (Key Manager, KM) in the QKD network.
  • the QKD network here can also be called quantum key distribution QKD network, quantum secure communication network, quantum communication network, quantum network, network layer, etc.
  • the second device here is a variety of security devices that use quantum keys and/or quantum random numbers to carry out secure communications, secure authentication, secure storage, etc., thereby enabling diversified business applications.
  • the second device belongs to the application layer of the user network.
  • Specific business applications can be, for example, data transmission on backbone lines, off-site disaster recovery in data centers, secure communications for mobile or fixed end users (such as encrypted voice calls, encrypted calls, encrypted voice calls, encrypted video calls, encrypted video calls) , encrypted instant messaging, encrypted intercom, encrypted video conferencing, etc.), Internet digital services between terminals and servers (such as e-government, e-finance, e-energy, etc.), satellite-based integration of air, space, earth and sea in a wide-area environment Secure communication (based on Internet Protocol Security (IPSec), Transport Layer Security (TLS), etc.), secure storage of sensitive information, etc., they will all be further connected with quantum confidential communication, with the help of quantum information technology Improve your own business security capabilities.
  • IPSec Internet Protocol Security
  • TLS Transport Layer Security
  • sending the quantum key and/or the quantum random number to the second device may also be referred to as sending the quantum key and/or the quantum random number to the second application, the second network element, the second function, the second entity, the second organization, the second The unit, second module, second component, etc. send the quantum key and/or quantum random number, and the principle is to use the quantum key and/or quantum random number provided by the first device for business processing to ensure the security of the information.
  • the second device may be located at the user network layer or application layer of the quantum secure communication network, or at the quantum cryptography application layer.
  • the sending of the quantum key to the second device may also be an active push/send, that is, the first device will actively push the second quantum key and/or the second quantum random number to the second device, and further may be periodic.
  • Sexual push or event-triggered push, etc. it can also be sent passively, that is, the second device will actively obtain the second quantum key and/or the second quantum random number from the first device, and then the first device will send the second quantum key to the second device.
  • Second quantum key and/second quantum random number may also be an active push/send, that is, the first device will actively push the second quantum key and/or the second quantum random number to the second device, and further may be periodic.
  • Sexual push or event-triggered push, etc. it can also be sent passively, that is, the second device will actively obtain the second quantum key and/or the second quantum random number from the first device, and then the first device will send the second quantum key to the second device.
  • Second quantum key and/second quantum random number Second quantum key and/second quantum random number.
  • the key here refers to a certain secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification.
  • symmetric cryptography the same key is used for encryption and decryption, so the key needs to be kept secret.
  • public key cryptography the keys used for encryption and decryption are different: one is public, called the public key; the other is kept secret, called the private key.
  • Quantum keys are keys generated based on the principles of quantum mechanics and based on the uncertainty of the state of quantum particles. Quantum keys have true randomness. Quantum random numbers are based on the principles of quantum mechanics and are random number sequences generated based on the uncertainty of the state of quantum particles. They are truly random. Quantum random numbers can be transmitted openly in channels in practical applications.
  • quantum keys can be used in various embodiments provided by this disclosure.
  • quantum keys will be used as examples in the following, but it can be understood that , the content explained with examples is also applicable to quantum random numbers.
  • a key may also be called a password, which has the same meaning.
  • the first quantum key and the second quantum key here may be the same, that is, the quantum key provided locally by the first device is sent to the second device.
  • the first device may provide the first quantum key to the second device in real time after obtaining the first quantum key locally; it may also be that the first device locally generates the first quantum key and stores it. , and then provide the stored first quantum key to the second device.
  • the first quantum key and the second quantum key here can also be different. For different situations, there may be the following: 1) After the first device obtains the first quantum key locally, it performs a verification on the key. The second quantum key is obtained through a series of processes, and then the second quantum key is provided to the second device; 2) It can be understood that multiple first quantum keys can be generated locally, and the first device can generate multiple first quantum keys locally.
  • Select at least one second quantum key from the key that is, the second quantum key can be a subset of the first quantum key, and the first device then provides the second quantum key to the second device; further, the first After the device generates multiple first quantum keys locally, it can perform key selection in real time to obtain the second quantum key, or it can first store the multiple generated first quantum keys, and then store the first quantum keys in the stored first quantum keys.
  • the second quantum key is obtained by selecting from the key set; 3) It can be a combination of method 1 and method 2, that is, processing first and then selecting, or selecting first and then processing.
  • the relationship between the first quantum random number and the second quantum random number is similar to the relationship between the first quantum key and the second quantum key, and will not be described again here.
  • providing the second quantum key and/or the second quantum random number to the second device in step S202 includes:
  • S2021. Provide the second quantum key and/or the second quantum random number to the second device, where the second quantum key and/or the second quantum random number are used by the second device for security applications.
  • the security applications here can be various applications such as confidential communication, security authentication, and encrypted storage.
  • the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, an encryption storage key, and an authentication key.
  • Two devices are used. That is to say, the role of the second quantum key is determined by the second device according to the specific security application form. The first device is only responsible for providing the second quantum key.
  • providing the second quantum key and/or the second quantum random number to the second device in step S202 includes at least one of the following situations:
  • the current quantum secure communication network system technology based on QKD technology mainly focuses on the networking architecture, module functions, operating procedures, communication protocols, equipment and interfaces of the QKD quantum key distribution network, etc., and lacks the user network and business application levels.
  • embodiments of the present disclosure propose a quantum secure communication application service system architecture and method to more effectively meet the application needs of future diversified businesses and large-scale users for quantum cryptography.
  • the embodiment of the present disclosure provides yet another quantum secure communication method, as shown in Figure 3, including:
  • the first device obtains the first quantum key and/or the first quantum random number from the first network, or obtains the first quantum key and/or the first quantum random number locally;
  • S302. Provide the second quantum key and/or the second quantum random number to the second device.
  • the first device can be a quantum key service center, that is, a device that provides quantum key services, or it can have other names, such as quantum key server, quantum key service platform, quantum key service equipment, quantum Key management equipment, quantum key cloud service platform or system, quantum (confidential) communication service center, quantum basic key management center, quantum cryptography server, quantum cryptography service center, quantum cryptography service platform, quantum key management equipment, quantum Basic password management center, etc.;
  • the first network can be a quantum key distribution QKD network, a quantum secure communication network, a quantum communication network, a quantum network, and can also be called the first network layer or the QKD network layer;
  • the second device is a security device that uses quantum keys and/or quantum random numbers to carry out various security devices such as secure communication, secure authentication, and secure storage, thereby enabling diversified business applications.
  • the second device belongs to the application layer of the user network.
  • Specific business applications can be, for example, data transmission on backbone lines, off-site disaster recovery in data centers, secure communications for mobile or fixed end users (such as encrypted voice calls, encrypted calls, encrypted voice calls, encrypted video calls, encrypted video calls) , encrypted instant messaging, encrypted intercom, encrypted video conferencing, etc.), Internet digital services between terminals and servers (such as e-government, e-finance, e-energy, etc.), satellite-based integration of air, space, earth and sea in a wide-area environment Secure communications (based on IPSec, TLS, etc.), secure storage of sensitive information, etc., will all be further integrated with quantum confidential communications and improve their business security capabilities with the help of quantum information technology.
  • secure communications for mobile or fixed end users such as encrypted voice calls, encrypted calls, encrypted voice calls, encrypted video calls, encrypted video calls
  • encrypted instant messaging encrypted intercom, encrypted video conferencing, etc.
  • Internet digital services between terminals and servers such as e-government, e-finance, e-energy, etc.
  • sending the quantum key and/or the quantum random number to the second device may also be referred to as sending the quantum key and/or the quantum random number to the second application, the second network element, the second function, the second entity, the second organization, the second The unit, second module, second component, etc. send the quantum key and/or quantum random number, and the principle is to use the quantum key and/or quantum random number provided by the first device for business processing to ensure the security of the information.
  • the second device may be located at the user network layer or application layer of the quantum secure communication network, or at the quantum cryptography application layer;
  • the first device is located between the first network and the second device and can form an independent middle layer to serve as a link between the previous network and the second device.
  • This intermediate layer can be called the quantum cryptography (application) service layer, or the quantum (secrecy) communication application service layer, or the quantum basic key management layer, etc.;
  • the first device can actively obtain the first quantum key and/or the first quantum random number from the first network.
  • the first device actively requests the first network to obtain the first quantum key and/or the first quantum random number.
  • the first device can obtain it periodically or by event triggering. Acquisition, etc.; of course, it can also be acquired passively, that is, the first network actively pushes the first quantum key and/or the first quantum random number to the first device, or it can be a periodic push or an event-triggered push, etc.;
  • Sending the quantum key to the second device can also be an active push/send, that is, the first device will actively push the second quantum key and/or the second quantum random number to the second device. Further, it can be Periodic push or event-triggered push, etc.; of course, it can also be sent passively, that is, the second device will actively obtain the second quantum key and/or the second quantum random number from the first device, and then the first device will send the second quantum key to the second device. Send the second quantum key and/or the second quantum random number.
  • Key refers to a certain secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification. In symmetric cryptography, the same key is used for encryption and decryption, so the key needs to be kept secret. In public key cryptography, the keys used for encryption and decryption are different: one is public, called the public key; the other is kept secret, called the private key. Quantum keys are keys generated based on the principles of quantum mechanics and based on the uncertainty of the state of quantum particles. Quantum keys have true randomness. Quantum random numbers are based on the principles of quantum mechanics and are random number sequences generated based on the uncertainty of the state of quantum particles. They are truly random. Quantum random numbers can be transmitted openly in channels in practical applications.
  • quantum keys can be used in various embodiments provided by this disclosure.
  • quantum keys will be used as examples in the following, but it can be understood that , the content explained with examples is also applicable to quantum random numbers.
  • a key may also be referred to as a password, which has the same meaning.
  • the first quantum key is provided by the QKD network to the first device, and the second quantum key is provided by the first device to the second device.
  • the first quantum key and the second quantum key may be the same, that is, the first device sends the quantum key provided by the QKD network to the second device.
  • the first device may provide the first quantum key to the second device in real time after receiving the first quantum key; or the first device may, after receiving the first quantum key, first Store, and then provide the stored first quantum key to the second device.
  • the first quantum key and the second quantum key can also be different.
  • the first device After the first device obtains the first quantum key from the QKD network, it performs a verification on the key. A series of processes are performed to obtain the second quantum key, and then the second quantum key is provided to the second device; 2) It can be understood that the QKD network will provide multiple first quantum keys to the first device, and the first device obtains the second quantum key from the QKD network. After the network obtains multiple first quantum keys, it selects at least one second quantum key among the multiple first quantum keys. That is, the second quantum key can be a subset of the first quantum keys.
  • the first The device then provides the second quantum key to the second device; further, after acquiring multiple first quantum keys, the first device can perform key selection in real time to obtain the second quantum key, or it can first Store multiple first quantum keys, and select the second quantum key from the stored first quantum key set; 3) It can be a combination of method 1 and method 2, that is, process first and then select, or select first Post-processing.
  • the relationship between the first quantum random number and the second quantum random number is similar to the relationship between the first quantum key and the second quantum key, and will not be described again here.
  • this method can effectively ensure that the application requirements of the second device for quantum keys are met.
  • the current QKD network mainly uses single photons as the basic quantum particles, and performs key negotiation between end nodes through the BB84 or GG02 protocol.
  • the performance is very limited. It can only negotiate and generate hundreds to thousands of bits per second. Key amount.
  • the upper-layer second device supports a variety of applications, and each application also has different requirements for the number of keys.
  • the QKD network needs to be able to support QKD key negotiation capabilities that are greater than the data transmission rate.
  • the voice data rate encoded using the Adaptive Multi-Rate (AMR) method is usually 4.75kbps ⁇ 23.85kbps.
  • the rate of quantum key generation by the QKD network is far less than that between the second device The rate of data transfer.
  • the second device has multiple concurrent services or multiple second devices generate concurrent service requests, there will also be an instantaneous large demand for quantum keys. Due to the low quantum key negotiation rate of the QKD network, it cannot meet the real-time demand for quantum keys of concurrent services.
  • this problem is solved by the first device located between the QKD network and the second device.
  • the QKD network generates quantum keys at a slow rate, it can always generate keys and continuously send them to the first device.
  • the first device will securely store the multiple first quantum keys received to form a key set or key pool.
  • a large number of quantum keys provided by the QKD network can be pre-stored in the key collection/key pool.
  • the second device does not need the quantum key negotiated in real time by the QKD network to communicate. Therefore, when it is necessary to provide the second device with a quantum key, it can select the pre-negotiated QKD quantum key from the key set or key pool. The key is provided to the second device. In this way, the above problems can be solved.
  • the embodiments of this disclosure propose to add an intermediate layer between the quantum key distribution network and the user network layer to realize the integration and docking of the underlying quantum network and upper-layer user applications.
  • the middle layer here can be called the quantum cryptography service layer, or the quantum (secret) communication application service layer, or the quantum basic key management layer, etc. It can be composed of one or more quantum cryptography service centers, cloud service platforms or systems. (Also known as: quantum (secrecy) communication service center, quantum basic key management center, etc.), thereby forming a quantum cryptography service network or a quantum confidentiality communication service network.
  • the quantum cryptography service layer separates the original tightly coupled QKD quantum network layer and quantum cryptography application layer to reduce the degree of coupling between the two and serve as a link to facilitate the integrated development of QKD networks and applications.
  • it extracts the basic common capabilities of the underlying QKD network, and uniformly encapsulates the common capabilities to form a standard service interface that can be directly called by the upper layer, thus shielding the system architecture, topology, working mechanism, equipment differences, etc. of the underlying quantum QKD network.
  • the impact of implementation details makes the underlying quantum QKD network transparent to upper-layer quantum cryptography applications, simplifying the complexity of upper-layer QKD capability management applications; on the other hand, it manages and controls massive users in different upper-layer networks and business scenarios.
  • the impact is conducive to the rapid proliferation and development of various quantum cryptography business applications.
  • Each new business only needs to be connected and adapted with the middle layer to obtain quantum security capabilities.
  • the underlying QKD network is no longer required to adapt to the new business, which reduces the complexity of QKD network and business implementation at the same time.
  • the quantum cryptography service center is the core entity of the quantum cryptography service layer. In the southbound direction, it connects to the quantum QKD network through the Ak interface and obtains the symmetric key or quantum random number generated by the QKD network. In the northbound direction, it interfaces with various business applications of the quantum cryptography application layer through the As interface to provide quantum cryptography on demand. At the same time, the quantum cryptography service center can also deploy quantum random number generators locally to generate quantum random numbers and keys for use by various upper-layer business applications.
  • Each quantum cryptography service center has a certain service scope. It interfaces with the QKD quantum network key management equipment node (for example, quantum key manager (KM)) in the area through the Ak interface to provide Users provide quantum cryptography services, as shown in Figure 5.
  • the quantum cryptography service center deployed in area A for example, Beijing
  • the quantum cryptography service center deployed in area B for example, Shanghai
  • quantum cryptography security media For example, Universal Serial Bus (USB) Key, Flash (Trans Flash, TF) password card, Subscriber Identity Module (SIM) card, security chip, etc.
  • the method is to fill the user's security medium with quantum keys, and provide users with quantum cryptography (including quantum random numbers, quantum keys, etc.) or quantum cryptography security services (including encryption, decryption, and integrity based on quantum cryptography) online. Protection/verification, digital signature/signature verification and other password protection), etc.
  • Quantum cryptography service centers are interconnected to generate quantum keys required for upper-layer user applications through QKD network negotiation. Therefore, multiple (two or more) quantum cryptography service centers can be formed to form a service network, which communicates with the underlying QKD Corresponding to the network, quantum cryptography services are provided to upper-layer users in a wide area.
  • the method provided by the embodiment of the present disclosure further includes:
  • the first device determines whether the second device at the destination belongs to a node in this area.
  • the domain here refers to the service range in which the first device provides quantum key services.
  • the second device at the source end needs to initiate a quantum confidential communication request to the second device at the destination end.
  • the second device at the source end needs to initiate a key request to the first device that provides quantum key services to obtain and The quantum key used by the second device at the destination for secure communication.
  • the first device needs to determine whether the second device at the destination belongs to a node in this area, and perform subsequent processing based on the determination result.
  • the source end can also be called the active end
  • the destination end can also be called the passive end.
  • step S301' the first device determines whether the second device at the destination belongs to the local node, including:
  • the first device receives the first message sent by the second device at the source end; wherein the first message carries device-related information of the second device at the destination end;
  • the relevant information of the second device at the destination can be implemented in a variety of ways. For example, it can be the device information (address, identification, etc.) of the second device at the destination, or it can be the belonging information (for the second device at the destination).
  • the second device at the destination provides information about the first device providing quantum key services).
  • step S302 provides the second quantum key and/or the second quantum random number to the second device, which may include:
  • S302' provides a second quantum key and/or a second quantum random number to the source-side second device and the destination-side second device.
  • the first device determines that the second device at the destination belongs to this domain (this service area). In this case, the first device provides the second quantum key and/or the second quantum random number to the second source device and the second destination device.
  • the first device directly provides the second quantum key and/or the second quantum random number to the source second device and the destination second device;
  • the first device only provides the second quantum key and/or the second quantum random number to some second devices, so that some second devices send the second quantum key to other second devices participating in the communication. key and/or second quantum random number.
  • the first situation means that quantum key distribution is performed by the first device, and the first device provides the second quantum key to the second device at the source end or the second device at the destination end (wherein, the second device at the destination end can be one or more);
  • the second case is that quantum key distribution is performed by the first device and some second devices.
  • the first device first distributes the second quantum key to some second devices (for example, to the source second device). Then some of the second devices forward the second quantum key to other second devices participating in the communication (for example, the source second device sends it to the destination device).
  • keys distributed for multiple second devices may be processed in multiple situations, specifically as follows:
  • S302c′ provides the second device with the corresponding second quantum key and/or second quantum random number
  • S302d′ separately encrypts the second quantum key and/or the second quantum random number corresponding to the second device, and then provides the encrypted second quantum key and/or the second quantum random number.
  • the first case is: the first device directly provides the corresponding second quantum key to the second device.
  • the interaction between the first device and the second device is safe.
  • the first device and the second device are in the same physical security environment.
  • the second situation is: the second quantum keys corresponding to each second device are respectively encrypted and sent.
  • the second quantum key needs to be encrypted before being sent out.
  • the second quantum key and/or the second quantum random number corresponding to each second device are separately encrypted, which can include:
  • first key to encrypt the second quantum key and/or the second quantum random number; wherein the first key is a symmetric key between the first device and each second device;
  • the symmetric key between the second device A and the first device is K1 (the symmetric key may also be called a shared key), and the symmetric key between the second device B and the first device is K2.
  • the first device can encrypt Ks using K1 and encrypt Ks using K2, and then send them to the second device A and the second device B respectively. Then the second device A and the second device B respectively use K1 and K2 to decrypt the received encrypted information to obtain the second quantum key Ks.
  • the second quantum key and/or the second quantum random number may be encrypted using the public key corresponding to the digital certificate of the second device.
  • the first device uses the public key corresponding to the digital certificate of the second device A to encrypt and protect the second quantum key Ks, and uses the public key corresponding to the digital certificate of the second device B to encrypt and protect the second quantum key Ks, and then sends them respectively.
  • the second device A and the second device B respectively use the private keys corresponding to their respective digital certificates to decrypt the received encrypted information to obtain the second quantum key Ks.
  • the method provided by the embodiment of the present disclosure further includes:
  • the first device receives the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, key-related information, first logo;
  • a second quantum key and/or a second quantum random number, and the first identification are provided to the second device at the source end and/or the second device at the destination end.
  • the first device After receiving the first message, the first device can obtain the second quantum key and/or the second quantum random number and the first identification based on part or all of the content carried in the first message.
  • the generation of the first identifier can be completed by the first device or by the second device. Specifically, there are the following situations:
  • the first identifier is generated by the second device at the source end and sent to the first device through the first message.
  • the first device obtains the first identifier by reading the first message;
  • the first identifier is generated by the first device. If the first message sent by the source second device does not contain the first identifier, then the first device will generate the first identifier by itself.
  • the function of the first identifier is to associate the second quantum key with a transaction.
  • the transaction here refers to a transaction that occurs during a confidential communication between the second device at the source end and the second device at the destination end. For example, make encrypted calls, carry out encrypted message transmission, etc.
  • the first identifier is used to indicate the second quantum key to be used in this transaction. There can be many specific implementations, such as key identification, transaction identification, randomly generated identification, serial number, encoding, etc.
  • the first identifier mentioned in the embodiment of the present disclosure can be used to indicate the second quantum key to be used for one transaction, or can also be used to indicate the second quantum key to be used for two or more transactions.
  • the key is not specifically limited here.
  • the provision of the second quantum key and/or the second quantum random number, and the first identification to the source second device and/or the destination second device include one of the following:
  • the second quantum key and the first identifier are provided to the remote second device, and the source second device sends the first identifier to the destination second device.
  • the destination device then obtains the second quantum key from the first device according to the first identification; the second case is similar to the first case and will not be described again.
  • the third situation is that the first device directly delivers the second quantum key and the first identifier to the second device at the source end and the second device at the destination end.
  • the second device at the source end and the second device at the destination end will carry the first identifier when conducting quantum secure communication, so that the destination end can learn which second quantum key should be used for this communication based on the first identifier.
  • the second device at the destination is the local domain, including the method of obtaining the first quantum key from the QKD network in real time in the case of the local domain and providing the second quantum key to the second device, and the method of the first quantum key in the case of the local domain.
  • the device retrieves the first quantum key from the cache pool and provides the second quantum key to the second device.
  • FIG. 6 shows a schematic diagram of multiple message forwarding situations integrated together, and does not refer to the message sending and receiving situation in a specific situation. That is, for every situation, not all processes in Figure 6 may occur.
  • the label n can correspond to the nth message in the text.
  • the first device obtains the first quantum key and/or the first quantum random number from the first network, which may include:
  • the first device receives the second message sent by the second device at the source end for requesting the quantum key
  • the second message is a message used by the second source device to request the key from the first device.
  • the second message may be the same as the first message above, or may be different from the first message.
  • the first quantum key here is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
  • the KM here can be key manager, which can be called a key manager or key management platform or key management center.
  • the first KM can provide the KM with the quantum key for the first device in the QKD network through the tenth message, and the second KM can provide the KM with the quantum key for the third device in the QKD network through the eleventh message.
  • the third device here is a device that provides quantum key services for the second device at the destination, and cooperates with the first device to provide quantum cryptography security services for the application layer of the user network.
  • the first device and the third device may belong to the same network, or may belong to the same layer (specifically, it may be called the quantum cryptography (application) service layer, or the quantum (secrecy) communication application service layer, or the quantum basic key management layer, etc.).
  • the third device also needs to obtain the first quantum key after the negotiation between the first KM and the second KM.
  • the first is for the third device to actively send a request to obtain the key to the second KM, and wait for the second KM to push the first quantum key to the third device after negotiating with the first KM.
  • the second is for the third device to pass the listening mode and wait for the first quantum key pushed by the second KM to the third device after negotiating with the first KM.
  • the method further includes:
  • the first device determines that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current cache pool cannot meet the usage requirements.
  • This step is actually a judgment step performed by the first device after receiving the second message.
  • the judgment is used to determine whether to obtain the first quantum key from the first KM in real time or to obtain the first quantum key in the current cache pool.
  • the content of the judgment may be "whether it is necessary to obtain the first quantum key from the first KM", or "based on the information carried in the second message (such as business information, key information, etc.) and/or the storage of the current cache pool situation (such as whether the number of currently stored keys is sufficient, whether the generation time of the key is fresh, whether the length of the key can meet the demand, etc.), etc., to determine whether the first quantum key in the current cache pool can meet the demand.” .
  • this judgment step does not necessarily exist.
  • the first device does not have a cache pool, or the first device is configured to obtain the first quantum secret from the first KM in real time each time it receives the second message. key, etc. In these cases, this step of judgment does not exist.
  • the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
  • the method also includes:
  • the first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
  • the second identification can be generated by the first device, specifically, after receiving the second message, the second identification is assigned to this request; it can also be generated by the second device at the source end and passed through the second The message is brought to the first device.
  • the function of the second identification is to associate the second quantum key with the secure communication transaction.
  • the transaction here refers to the transaction that occurs during confidential communication between the second device at the source end and the second device at the destination end. For example, make encrypted calls, carry out encrypted message transmission, etc.
  • the second identification is used to indicate the second quantum key to be used for the secure communication transaction. There can be many specific implementations, such as key identification, transaction identification, randomly generated identification, serial number, encoding, etc.
  • the second identifier mentioned in the embodiment of the present disclosure can be used to indicate the second quantum key to be used for one secure communication transaction, or can also be used to indicate the second quantum key to be used for two or more secure communication transactions.
  • the second quantum key is not specifically limited here.
  • providing the second quantum key and/or the second quantum random number to the second device in step S302 includes: providing the second quantum key and/or the second quantum random number to the source second device, and said Second identification.
  • the second source device when the second identifier is generated by the first device, the second source device also needs to know the second identifier, so that it can know which second quantum key is to be used for this transaction. Therefore, when the first device provides the second quantum key to the second device at the source end, it also needs to provide the second identity. That is, the ninth message in Figure 6 provides the second identity while providing the second quantum key. .
  • the second identifier When the second identifier is generated by the second source device, and the second device provides the second quantum key to the source second device through the ninth message, the second identifier also needs to be provided to the source second device. It is learned that when performing a transaction corresponding to the second identification, the second quantum key pushed together with the second identification needs to be used.
  • the method also includes:
  • the third message can achieve a variety of functions, for example, it can be used to notify/instruct the third device to provide quantum key services for the second device at the destination, etc. There is no necessary time sequence for sending the third message and sending the fourth message.
  • the third message may carry the second identifier.
  • the third message can be used for:
  • the third device when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  • the above two situations are to let the second device at the destination know which second quantum key needs to be used when performing the transaction corresponding to the second identification. Its function is to let the source end The second device and the second device at the destination synchronize and use the same key to perform secure communication.
  • the method provided by the embodiment of the present disclosure further includes:
  • the first device receives a second message sent by the second device at the source end for requesting a quantum key
  • the cache pool here is obtained in the following ways:
  • the first device stores the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool; wherein the first quantum key in the cache pool is the first quantum key in the QKD network. obtained through negotiation between the first KM and the second KM.
  • the method provided by the embodiment of the present disclosure also includes: the first device determines to obtain the first quantum key from the cache pool.
  • the judgment process of the first device that is, it needs to be judged whether to obtain the first quantum key in real time or from the cache pool. Likewise, this judgment step is not necessary.
  • the first device is configured to directly obtain the first quantum key from the buffer pool without making judgment.
  • the second message in step S301a carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
  • the method also includes:
  • the first device obtains the second identity according to the second message, or the first device allocates the second identity for this key service.
  • step S302 provides the second quantum key and/or the second quantum random number to the second device, including:
  • the method provided by the embodiment of the present disclosure also includes:
  • the third message here may carry the second identifier.
  • the third device when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  • the third message may also carry a third identifier, where the third identifier is used to identify the first quantum key and/or the first quantum random number.
  • the third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
  • the third device will also store the first quantum key after receiving the first quantum key sent by the second KM to form a cache pool.
  • the first quantum key here is the first quantum key negotiated by the first KM and the second KM.
  • the first KM and the second KM will also push the third identifier corresponding to the first quantum key.
  • the third device can select the corresponding first quantum key from the cache pool according to the third identification to achieve key synchronization.
  • the method provided by the embodiment of the present disclosure further includes:
  • the third identifier is used to identify the first quantum key.
  • the main purpose of the third identifier is to synchronize the first device and the third device to obtain the key from the cache pool, that is, through the third device. identification, the first device and the third device can learn which first quantum key the other end has taken out. There are two possible situations here.
  • the first one is as mentioned above.
  • the first device determines the third identifier of the first quantum key taken out, and carries the third identifier in the third message to inform the third party.
  • the device needs to select the key corresponding to the third identifier; the second method is for the first device to send a third message.
  • the third message can be to notify the third device to retrieve the key from the cache pool, or to notify the third device that it needs to send the key to the destination.
  • the second device pushes the key.
  • the third device determines the third identifier of the retrieved first quantum key. That is, the third device determines which key to select from the cache pool and returns the third identifier to the third device.
  • step S302 provides the second quantum key and/or the second quantum random number to the second device, including:
  • a second quantum key and/or a second quantum random number are provided to the second device for use by the second device for security applications.
  • the security applications here can be various applications such as confidential communication, security authentication, and encrypted storage.
  • the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, an encryption storage key, and an authentication key.
  • Two devices are used. That is to say, the role of the second quantum key is determined by the second device according to the specific security application form. The first device is only responsible for providing the second quantum key.
  • step S302 provides a second quantum key and/or a second quantum random number to the second device, including at least one of the following situations:
  • the embodiment of the present disclosure also provides a quantum secure communication method, as shown in Figure 7, including;
  • S702. Provide the second quantum key and/or the second quantum random number to the second device at the destination.
  • receiving the first quantum key and/or the first quantum random number sent by the second KM in the QKD network in step S701 includes:
  • S701a Send the seventh message to the second KM in the QKD network, and receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network;
  • S701b wait in the listening mode for the second KM in the QKD network to send the first quantum key and/or the first quantum random number through the eleventh message.
  • the method provided by the embodiment of the present disclosure further includes: receiving a third message sent by a first device that provides a quantum key service for a second source device.
  • the third message may also carry a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  • the method further includes: the third device obtains the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification. This situation is a situation where the first device determines the third identifier.
  • the method provided by the embodiment of the present disclosure further includes: after receiving the third message, sending a third identification to the first device, the third identification being used to identify the first quantum key and/or Or the first quantum random number.
  • the third device determines the third identifier. After the third device determines, it will also send the third identifier to the first device through the twelfth message.
  • providing the second quantum key and/or the second quantum random number to the destination second device in step S302 includes:
  • the third message may carry the second identifier.
  • step S302 providing the second quantum key and/or the second quantum random number to the second device at the destination includes:
  • the third device provides the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
  • the third device when receiving the fifth message carrying the second identifier sent by the second device at the destination, the third device provides the second quantum key and/or the second quantum key at the destination according to the second identifier. Second quantum random number.
  • the second device at the destination obtains the second identification through the sixth message sent by the second device at the source.
  • the second identifier may be assigned by the second source device, or may be notified by the first device to the source second device after being assigned.
  • the second identity is sent to the second device at the destination end through the sixth message, so that the second device at the destination end can obtain it from the third device according to the second identity for this time.
  • the quantum key of the transaction (you can actively obtain it based on the second identifier, or you can passively wait for the push from the third device, and determine the second quantum key used in this transaction based on the second identifier in the push message).
  • the quantum cryptography service center determines how to provide quantum cryptography services based on the service areas to which both communicating parties belong, that is, whether it is a local service or a cross-region service. For two business applications that communicate within the same service area (for example, quantum cryptography application equipment A and B in Figure 5), the quantum cryptography service center provides local services. It does not need to call the quantum key negotiation capability of the underlying QKD network, but only obtains the quantum random number generated by the local QKD network node device or the local quantum random number generator through the Ak interface, and then generates a symmetric quantum key and provides it to the upper layer. Thereby meeting the cryptographic application requirements of the two communication services.
  • the quantum cryptography service center For two business applications belonging to different service areas (for example, quantum cryptography application equipment A and C in Figure 5), the quantum cryptography service center provides cross-regional services. At this time, it needs to interact with the quantum cryptography service center that provides services at the opposite end and obtain the symmetric quantum key through quantum QKD network negotiation, and provide it to the two business applications.
  • FIG 8 shows the process flow of two quantum cryptography application devices A and B that belong to the same area and obtain services from the same quantum cryptography service center A to achieve quantum confidential communication.
  • the quantum cryptography application device is just an example chosen for convenience of explanation, and it can refer to any network device or business application at the user level. The following processes are similar and will not be described again.
  • A sends a quantum secure communication request message to B.
  • the message can carry the identification of the home service center that provides quantum cryptography services for device A and security-related information.
  • Security-related information is used to complete quantum communication encryption negotiations, and can include quantum key-related information (such as key amount, key acquisition method, etc.), encryption-related information (such as encryption method (such as encryption (such as stream encryption, etc.), Block encryption, etc.), integrity protection, etc.), encryption algorithms, etc.).
  • Quantum cryptography application device B returns a quantum confidential communication response message to A, which can carry the quantum cryptography service center identification of device B and the security-related information confirmed by B.
  • Steps 1 to 2 are the establishment process of quantum secure communication between A and B. This is only a schematic explanation. This establishment process will be different in different applications. It may be an interaction between a business request and a response message, or it may be an interaction between a series of protocol messages. For example, in the quantum encrypted telephone service, the process is to complete the interaction of the call request and the call response message.
  • the message can carry a confidential communication identifier to indicate the security attribute of the service; in the confidential communication service based on the IPSec protocol, the process includes Two stages of message interaction, based on the IPSec protocol, complete identity authentication and quantum encryption service negotiation between the communicating devices; and so on.
  • Quantum cryptography application device A sends a key request to its home quantum cryptography service center A through the As interface, which carries the identification/addresses A and B of the source and destination of the communication, business-related information and key-related information, etc.
  • Business-related information is used to describe the business identifier, type and attributes of this quantum secure communication, and is used to distinguish the diversified services at the upper level. For example, data services, voice services, email services, streaming media services, messaging services, etc.
  • Key-related messages are used to describe the requirements of quantum cryptography application equipment A and B for quantum keys, such as key quantity, key quality of service (QoS) requirements (key transmission rate, provision time requirements, etc.) , transmission mode (such as request, push, etc.), etc.
  • the request message may also carry the identifier of the quantum cryptography service center to which the destination belongs, which is used to determine the service area to which quantum cryptography application device B belongs.
  • quantum cryptography service center A determines whether the destination is within the area responsible for this service center based on the identification/address information of the destination device B, or the identification information A of the quantum cryptography service center that the destination belongs to. business node? If so, go to step 5; otherwise, go to the cross-region quantum secure communication processing flow (see Figure 9).
  • Quantum cryptography service center A obtains quantum random numbers locally and generates a transaction identifier (Transaction ID, TID) and quantum key K for this session.
  • the quantum random number can be obtained by calling the quantum random number generator deployed locally in the quantum cryptography service center A, or it can be obtained from the QKD network device node in the local area through the Ak interface.
  • the transaction identifier TID corresponds to the quantum key K and is used to identify the quantum symmetric key corresponding to this session.
  • the quantum key is generated based on the obtained quantum random number.
  • the quantum key K should meet the needs of the business.
  • Key-related information may include system-customized parameter content, such as key generation time, key lifetime, and other information.
  • Quantum cryptography application device A sends a key notification message to B, which carries the transaction identifier TID, which is used to notify the peer to obtain the generated quantum key K.
  • Quantum cryptography application device B sends a key request to its home quantum cryptography service center A, which carries the transaction identifier TID and can carry the identities/addresses A and B of the source and destination of the communication.
  • the quantum cryptography service center A searches for the corresponding quantum key K and feeds it back to the quantum cryptography application device B through the key response message.
  • the message can also carry key-related information to provide system-customized parameter content, such as key generation time, key lifetime, and other information.
  • quantum cryptography application device B After receiving the key response, quantum cryptography application device B returns a key response message to A, informing the peer that the quantum symmetric key K to be used in this communication session has been successfully obtained.
  • quantum cryptography application equipment A and B can start quantum secure communication.
  • the transaction identifier TID is only one way to realize key notification and acquisition.
  • quantum cryptography service center A can generate a token or ticket and deliver it to device B through quantum cryptography application device A. With the token or ticket, device B can obtain the corresponding quantum key K from service center A to communicate securely with device A.
  • the quantum cryptography service center can protect the integrity and/or signature of the key content of the information and add a timestamp to ensure that the information will not be forged by attackers. Tampering, replaying. The following processes are similar and will not be described again.
  • FIG 9 shows the process flow of two quantum cryptography application devices A and C, which belong to different areas and obtain services from different quantum cryptography service centers A and B, to achieve quantum confidential communication. They adopt the method of real-time key negotiation through the quantum QKD network. way to achieve.
  • Steps 1 to 2 are the establishment process of quantum secure communication, which is similar to Figure 8 and will not be repeated here.
  • the portable identification of the home quantum cryptography service center is B, which is different from that of quantum cryptography application device A.
  • Quantum cryptography application device A sends a key request to its home quantum cryptography service center A through the As interface, which carries the identification/addresses A and C of the source and destination of the communication, business-related information and key-related information, etc.
  • Business-related information is used to describe the business identifier, type and attributes of this quantum secure communication, and is used to distinguish the diversified services at the upper level. For example, data services, voice services, email services, streaming media services, messaging services, etc.
  • Key-related messages are used to describe the requirements of quantum cryptography application devices A and C for quantum keys, such as key amount, key QoS requirements (key transmission rate, provision time requirements, etc.), transmission mode (e.g., on-demand , push type, etc.) etc.
  • the request message may also carry the identification of the quantum cryptography service center to which the destination belongs, which is used to determine the service area to which the quantum cryptography application device C belongs.
  • quantum cryptography service center A determines whether the destination is this service center based on the identification/address information of the destination quantum cryptography application device C, or the identification information B of the destination quantum cryptography service center it carries. Responsible for the business nodes in the region? If so, go to the local quantum secure communication processing flow (see Figure 8); otherwise, go to step 5.
  • Quantum cryptography service center A generates a transaction identifier TID for the cryptographic request of this quantum confidential communication, determines that the destination belongs to the quantum cryptography service center, and sends a quantum cryptography service request message to it. Among them, it carries the identification/address A and C of the source and destination quantum cryptography application equipment, transaction identification TID, business-related information, quantum key-related information, QKD service node information, etc.
  • the transaction identifier TID is used to associate this quantum secure communication service with the quantum key for this service, so that the quantum cryptography service centers at both ends can index and manage user applications and quantum cryptography services.
  • Business-related information is used to describe the business identifier, type and attributes of this quantum secure communication.
  • Key-related messages are used to explain the need for quantum keys in this quantum secure communication.
  • it can also carry QKD service node information, which is used to inform the opposite end of the quantum QKD network key management device identification/address that provides services for the local end, so that the opposite end can access it.
  • Quantum cryptography service center B returns the quantum cryptography service response message for confirmation.
  • the message includes the transaction identifier TID and QKD service node information.
  • QKD service node information is used to inform the peer of the quantum QKD network key management device ID/address that provides services to the peer for access by the peer.
  • Quantum cryptography service center A sends a QKD key request to the local quantum QKD network key management device A through the Ak interface, and negotiates with the peer through the underlying quantum QKD network to obtain the quantum key.
  • the request includes the destination quantum cryptography service center/quantum QKD network key management device identification, quantum key related information, etc.
  • the identification information is used to identify the underlying QKD network key management equipment that provides services to the destination quantum cryptography service center B for easy access.
  • Information related to quantum keys is used to meet the demand for quantum keys in this cryptographic business.
  • Quantum QKD network key management devices A and B call the QKD network quantum layer capabilities to start key negotiation.
  • the QKD network key management equipment After the quantum key negotiation is successful, the QKD network key management equipment provides the generated quantum key K and quantum key related information to the quantum cryptography service center through the Ak interface.
  • steps 7 to 9 will actually require different operations if different key negotiation methods (such as request type, push type, etc.) are used.
  • key negotiation methods such as request type, push type, etc.
  • quantum cryptography service center A After the negotiation is successful, quantum cryptography service center A returns a key response message to quantum cryptography application device A, which carries the transaction identifier TID and quantum key K, and optionally carries key-related information and other content.
  • Key-related information may include system-customized parameter content, such as key generation time, key lifetime, and other information.
  • Quantum cryptography application device A sends a key notification message to C, which carries the transaction identifier TID, which is used to notify the peer to obtain the negotiated quantum key K.
  • Quantum cryptography application device C sends a key request to its home quantum cryptography service center B, which carries the transaction identifier TID and can carry the identities/addresses A and C of the source and destination of the communication.
  • the quantum cryptography service center B searches for the corresponding quantum key K and feeds it back to the quantum cryptography application device C through the key response message.
  • the message can also carry key-related information to provide system-customized parameter content, such as key generation time, key lifetime, and other information.
  • the quantum cryptography application device C After receiving the key response, the quantum cryptography application device C returns a key response message to A, informing the peer that the quantum symmetric key K to be used in this communication session has been successfully obtained.
  • quantum cryptography application equipment A and C can start quantum secure communication.
  • the quantum cryptography service center determines the quantum cryptography service method based on the business type or needs of the upper-layer application. For businesses with high security requirements or long-lasting quantum key requirements, stable usage, but small average usage (QKD network performance can meet usage requirements) (such as data off-site disaster recovery, encrypted phone calls, encrypted videos, etc.) , when the quantum cryptography service center receives a request, it can provide it with a quantum key through real-time negotiation on the QKD network ( Figure 9).
  • the quantum cryptography service center can establish a quantum cryptography service center. Key buffer pool, pre-negotiate and store certain quantum keys to meet the needs of this type of business ( Figure 10).
  • the quantum cryptography service center can call QKD network capabilities to negotiate with other quantum cryptography service centers to generate quantum symmetric keys, mark them, and cache them for later use.
  • FIG 10 shows the process flow of two quantum cryptography application devices A and C, which belong to different areas and obtain services from different quantum cryptography service centers A and B, to achieve quantum confidential communication, using pre-cached quantum keys.
  • Steps 1 to 4 are the same as in Figure 9 and will not be repeated here.
  • quantum cryptography service center A determines whether the quantum secret communication service can use pre-negotiated and cached quantum keys to meet application requirements? If yes, go to step 6; otherwise, go to the quantum QKD real-time negotiation process (see Figure 6).
  • Quantum cryptography service center A generates a transaction identifier TID for the cryptographic request of this quantum confidential communication, determines that the destination belongs to the quantum cryptography service center, and sends a quantum cryptography service request message to it. Among them, it carries the identification/address A and C of the source and destination quantum cryptography application equipment, transaction identification TID, business-related information, quantum key-related information, etc.
  • Quantum cryptography service center B returns the quantum cryptography service response message for confirmation.
  • the message includes the transaction identifier TID.
  • quantum cryptography service center A After the negotiation is successful, quantum cryptography service center A returns a key response message to quantum cryptography application device A, which carries the transaction identifier TID and quantum key K, and optionally carries key-related information and other content.
  • Key-related information may include system-customized parameter content, such as key generation time, key lifetime, and other information.
  • Quantum cryptography application device A sends a key notification message to C, which carries the transaction identifier TID, which is used to notify the peer to obtain the negotiated quantum key K.
  • Quantum cryptography application device C sends a key request to its home quantum cryptography service center B, which carries the transaction identifier TID and can carry the identities/addresses A and C of the source and destination of the communication.
  • the quantum cryptography service center B searches for the corresponding quantum key K and feeds it back to the quantum cryptography application device C through the key response message.
  • the message can also carry key-related information to provide system-customized parameter content, such as key generation time, key lifetime, and other information.
  • the quantum cryptography application device C After receiving the key response, the quantum cryptography application device C returns a key response message to A, informing the peer that the quantum symmetric key K to be used in this communication session has been successfully obtained.
  • quantum cryptography application equipment A and C can start quantum secure communication.
  • an embodiment of the present disclosure also provides a quantum secure communication device, applied to the first device, including:
  • the processing module 1101 is used to obtain the first quantum key and/or the first quantum random number from the first network, or obtain the first quantum key and/or the first quantum random number locally;
  • the sending module 1102 is used to provide the second quantum key and/or the second quantum random number to the second device.
  • the device further includes:
  • the judgment module is used to judge whether the second device at the destination belongs to the node in this area.
  • the judgment module includes:
  • the first sub-module is used to receive the first message sent by the second device at the source end; the first message carries device-related information of the second device at the destination end;
  • the second submodule is used to determine whether the second device at the destination belongs to a node in this area based on the device-related information of the second device at the destination.
  • the sending module includes:
  • the first sending sub-module is used to provide the second quantum key and/or the second quantum random number to the second source device and the second destination device.
  • the sending sub-module is further used to:
  • providing a second quantum key and/or a second quantum random number includes:
  • encrypting the second quantum key and/or the second quantum random number corresponding to each second device separately includes:
  • first key to encrypt the second quantum key and/or the second quantum random number; wherein the first key is a symmetric key between the first device and each second device;
  • the device further includes:
  • a message receiving module configured to receive the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, and key-related information of the second device at the destination end. , first identification;
  • Determining module used to obtain the second quantum key and/or the second quantum random number, and the first identification
  • An information providing module configured to provide the second quantum key and/or the second quantum random number, and the first identification to the second source device and/or the second destination device.
  • providing the second quantum key and/or the second quantum random number, and the first identification to the source second device and/or the destination second device include the following: A kind of:
  • a second quantum key and/or a second quantum random number and the first identification are provided to the source-side second device and the destination-side second device.
  • the processing module includes:
  • the third submodule is used to receive the second message sent by the second device at the source end to request the quantum key
  • the fourth sub-module is used to send the fourth message to the first KM in the QKD network
  • the fifth sub-module is used to receive the first quantum key and/or the first quantum random number sent by the first KM.
  • the first quantum key is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
  • the device further includes:
  • the third determination module is used to determine that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current buffer pool cannot meet the usage requirements.
  • the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
  • the method also includes:
  • the first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
  • the sending module includes:
  • the second sending submodule is used to provide the second quantum key and/or the second quantum random number, and the second identification to the second source device.
  • the device further includes:
  • the fourth sending module is configured to send a third message to a third device that provides quantum key services for the second device at the destination.
  • the third message carries the second identifier.
  • the third message is used for:
  • the third device when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  • the device further includes:
  • a sixth receiving module configured to receive a second message sent by the second device at the source end to request a quantum key
  • An information acquisition module is used to acquire the first quantum key and/or the first quantum random number from the cache pool.
  • the device further includes:
  • a third processing module configured to store the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool
  • the first quantum key in the cache pool is obtained through negotiation between the first KM and the second KM in the QKD network.
  • the device further includes:
  • the fourth determination module is used to determine to obtain the first quantum key from the cache pool.
  • the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
  • the device also includes:
  • the fourth processing module is configured to obtain a second identity according to the second message, or the first device allocates a second identity to this key service.
  • the sending module includes:
  • the third sending sub-module is used to provide the second quantum key and/or the second quantum random number, and the second identification to the second source device.
  • the device further includes:
  • the seventh sending module is used to send a third message to a third device that provides quantum key services for the second device at the destination.
  • the third message carries the second identifier.
  • the third message is used for:
  • the third device when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  • the third message carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  • the third identifier is used for:
  • the third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
  • the device further includes:
  • the eighth receiving module is configured to receive a third identification sent by a third device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
  • the sending module includes:
  • the fourth sending sub-module is used to provide the second quantum key and/or the second quantum random number to the second device, and the second quantum key and/or the second quantum random number are used to be used by the second device. Safe application.
  • the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, an encryption storage key, and an authentication key. key, used by the second device.
  • providing the second quantum key and/or the second quantum random number to the second device includes at least one of the following situations:
  • the first device is used to realize the integration and docking of the user network and the first network in a loosely coupled manner, thereby meeting the needs of future networks and services for diversified and large-scale applications of quantum cryptography.
  • the quantum secure communication device provided by the embodiments of the present disclosure is a device that can perform the above-mentioned quantum secure communication method, then all embodiments of the above-mentioned quantum secure communication method are applicable to this device, and can achieve the same or similar performance. beneficial effects.
  • a device includes a memory 1210, a processor 1200, and a program stored on the memory 1210 and executable on the processor 1200.
  • the processor 1200 executes the The program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technical effect. To avoid duplication, it will not be described again here.
  • Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored.
  • the program When executed by a processor, the program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technology. The effect will not be described here to avoid repetition.
  • the computer-readable storage medium is such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.
  • an embodiment of the present disclosure also provides a quantum secure communication device, applied to a third device, including:
  • the receiving unit 1301 is configured to receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or obtain the first quantum key and/or the first quantum random number from the buffer pool;
  • the sending unit 1302 is configured to provide the second quantum key and/or the second quantum random number to the second device at the destination.
  • the sending unit includes:
  • the first sending subunit is used to send the seventh message to the second KM in the QKD network, and receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network;
  • the second KM in the QKD network is used to wait for the second KM in the QKD network to send the first quantum key and/or the first quantum random number through the listening mode.
  • the device further includes:
  • the first receiving unit is configured to receive the third message sent by the first device that provides quantum key services for the second source device.
  • the third message also carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  • the device further includes:
  • An acquisition unit configured to acquire the corresponding first quantum key and/or first quantum random number from the cache pool according to the third identification.
  • the device further includes:
  • the second sending unit is configured to send a third identification to the first device after receiving the third message, where the third identification is used to identify the first quantum key and/or the first quantum random number.
  • the sending unit is further used to:
  • the third message carries the second identifier.
  • the sending unit is further used to:
  • the first device is used to realize the integration and docking of the user network and the first network in a loosely coupled manner, thereby meeting the needs of future networks and services for diversified and large-scale applications of quantum cryptography.
  • the quantum secure communication device provided by the embodiments of the present disclosure is a device that can perform the above-mentioned quantum secure communication method, then all embodiments of the above-mentioned quantum secure communication method are applicable to this device, and can achieve the same or similar performance. beneficial effects.
  • an embodiment of the present disclosure also provides a device, including a memory 1410, a processor 1400, and a program stored on the memory 1410 and executable on the processor 1400.
  • the processor 1400 executes The program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
  • Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored.
  • the program When executed by a processor, the program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technology. The effect will not be described here to avoid repetition.
  • the computer-readable storage medium is such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.
  • Embodiments of the present disclosure also provide a quantum cryptography service network, including several first devices as described above, and/or several third devices as described above.
  • quantum cryptography service network can also be called quantum key service network, quantum cryptography/key service (network) layer, quantum cryptography/key (security) service middle layer, quantum cryptography/key security service Network/service layer, quantum cryptography/key based network/service layer, etc.
  • Embodiments of the present disclosure also provide a quantum secure communication system, including: the quantum cryptography service network, the first network and the user network as described above.
  • quantum cryptography service network can also be called quantum key service network, quantum cryptography/key service (network) layer, quantum cryptography/key (security) service middle layer, quantum cryptography/key security service Network/service layer, quantum cryptography/key based network/service layer, etc.
  • embodiments of the present disclosure may be provided as methods, systems, or computer program products. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) embodying computer-usable program code therein.
  • a computer-readable storage media including, but not limited to, magnetic disk storage, optical storage, and the like
  • These computer program instructions may also be stored in a computer-readable storage medium capable of directing a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce a paper product including instruction means,
  • the instruction means implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
  • These computer program instructions may also be loaded onto a computer or other programmable data processing device, Causes a sequence of operational steps to be performed on a computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide for implementing a process or processes in a flowchart and/or a block diagram The steps for a function specified in a box or boxes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Optical Communication System (AREA)

Abstract

Provided in the present disclosure are a quantum secure communication method and device, a quantum password service network, and a quantum secure communication system. The quantum secure communication method comprises: a first device obtains a first quantum key and/or a first quantum random number from a first network, or locally obtains the first quantum key and/or the first quantum random number; the first device provides a second quantum key and/or a second quantum random number for a second device.

Description

量子保密通信方法和设备、量子密码服务网络和通信系统Quantum secure communication methods and equipment, quantum cryptography service networks and communication systems
相关申请的交叉引用Cross-references to related applications
本申请主张在2022年5月16日在中国提交的中国专利申请号No.202210531198.0的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202210531198.0 filed in China on May 16, 2022, the entire content of which is incorporated herein by reference.
技术领域Technical field
本公开涉及通信技术领域,尤其是指一种量子保密通信方法和设备、量子密码服务网络和量子保密通信系统。The present disclosure relates to the field of communication technology, and in particular refers to a quantum secure communication method and device, a quantum cryptography service network and a quantum secure communication system.
背景技术Background technique
当前量子保密通信网络的用户网络业务应用呈现出海量、异构、多样化的发展趋势。除了传统基于有线方式的基础通信网络(例如,从不同维度划分,可有:广域网、城域网、骨干网、汇聚网、接入网、承载网、传输网等)需要采用量子保密通信技术,在系统之间、设备节点之间实现数据信息的高速、安全传输之外,基于第四代移动通信(the 4th Generation,4G)/第五代移动通信(the 5th Generation,5G)、无线网络通信技术(Wireless Fidelity,WiFi)等无线技术的移动通信网络也需要与量子安全技术相结合,在基站/热点、移动终端、设备之间实现保密通信,从而达到在“端-边-管-云”的端到端传输路径上实现高安全等级的数据安全传输,全面提升网络系统的信息安全水平的目的。The current user network business applications of quantum secure communication networks are showing a massive, heterogeneous, and diversified development trend. In addition to the traditional basic communication network based on wired methods (for example, divided from different dimensions, it can include: wide area network, metropolitan area network, backbone network, aggregation network, access network, bearer network, transmission network, etc.), quantum secure communication technology needs to be adopted. In addition to realizing high-speed and secure transmission of data information between systems and equipment nodes, based on the fourth generation mobile communication (the 4th Generation, 4G)/the fifth generation mobile communication (the 5th Generation, 5G), wireless Mobile communication networks with wireless technologies such as Wireless Fidelity (WiFi) also need to be combined with quantum security technology to achieve confidential communication between base stations/hotspots, mobile terminals, and devices, thereby achieving "end-edge-management- The goal is to achieve high-security data secure transmission on the end-to-end transmission path of the cloud and comprehensively improve the information security level of the network system.
然而,如何对量子保密通信的系统架构进行设计,如何对量子密钥进行有效的全生命周期管理(例如,量子密钥的生成、分发、协商、使用、销毁等),以满足未来海量、多样化的用户业务对于量子密码的应用需要是目前亟待解决的问题。However, how to design the system architecture of quantum secure communication and how to effectively manage the entire life cycle of quantum keys (for example, generation, distribution, negotiation, use, destruction, etc.) of quantum keys to meet the needs of massive and diverse future The demand for the application of quantum cryptography in user services is an urgent problem that needs to be solved.
发明内容Contents of the invention
本公开的目的在于提供一种量子保密通信方法和设备、量子密码服务网络和量子保密通信系统,以解决相关技术中的量子保密通信方法无法满足未来多样化业务及大规模用户对于量子密码的应用需要。The purpose of this disclosure is to provide a quantum secure communication method and device, a quantum cryptographic service network and a quantum secure communication system to solve the problem that the quantum secure communication method in related technologies cannot meet the application of quantum cryptography by diversified businesses and large-scale users in the future. need.
为了解决上述问题,本公开实施例提供一种量子保密通信方法,包括:In order to solve the above problems, embodiments of the present disclosure provide a quantum secure communication method, including:
第一设备从第一网络获取第一量子密钥和/或第一量子随机数,或从本地获取第一量子密钥和/或第一量子随机数;The first device obtains the first quantum key and/or the first quantum random number from the first network, or obtains the first quantum key and/or the first quantum random number locally;
向第二设备提供第二量子密钥和/或第二量子随机数。A second quantum key and/or a second quantum random number are provided to the second device.
其中,所述方法还包括:Wherein, the method also includes:
所述第一设备判断目的端第二设备是否属于本区域节点。The first device determines whether the second device at the destination belongs to a node in this area.
其中,所述第一设备判断目的端第二设备是否属于本区域节点,包括:Among them, the first device determines whether the second device at the destination belongs to the node in the local area, including:
所述第一设备接收源端第二设备发送的第一消息;所述第一消息携带目的端第二设备的设备相关信息;The first device receives the first message sent by the second device at the source end; the first message carries device-related information of the second device at the destination end;
根据目的端第二设备的设备相关信息判断目的端第二设备是否属于本区域节点。Determine whether the second device at the destination belongs to a node in this area according to the device-related information of the second device at the destination.
其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing the second quantum key and/or the second quantum random number to the second device includes:
为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数。A second quantum key and/or a second quantum random number are provided for the second device at the source end and the second device at the destination end.
其中,所述向多个第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing a second quantum key and/or a second quantum random number to a plurality of second devices includes:
所述第一设备直接为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数;The first device directly provides the second quantum key and/or the second quantum random number to the second source device and the second destination device;
或,所述第一设备仅向部分第二设备提供第二量子密钥和/或第二量子随机数,使所述部分第二设备向参与通信的其他第二设备发送第二量子密钥和/或第二量子随机数。Or, the first device only provides the second quantum key and/or the second quantum random number to some of the second devices, causing the part of the second devices to send the second quantum key and/or the second quantum key to other second devices participating in the communication. /or second quantum random number.
其中,所述提供第二量子密钥和/或第二量子随机数,包括:Wherein, said providing a second quantum key and/or a second quantum random number includes:
为第二设备提供对应的第二量子密钥和/或第二量子随机数;Provide the second device with the corresponding second quantum key and/or second quantum random number;
或,对第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,再提供加密处理后的第二量子密钥和/或第二量子随机数。Or, encrypt the second quantum key and/or the second quantum random number corresponding to the second device, and then provide the encrypted second quantum key and/or the second quantum random number.
其中,所述对各第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,包括:Wherein, encrypting the second quantum key and/or the second quantum random number corresponding to each second device respectively includes:
利用第一密钥对所述第二量子密钥和/或第二量子随机数进行加密处理; 其中,所述第一密钥为第一设备与各第二设备之间对称密钥;Using the first key to encrypt the second quantum key and/or the second quantum random number; Wherein, the first key is a symmetric key between the first device and each second device;
或,利用第二设备的数字证书所对应的公钥对所述第二量子密钥和/或第二量子随机数进行加密处理。Or, use the public key corresponding to the digital certificate of the second device to encrypt the second quantum key and/or the second quantum random number.
其中,所述方法还包括:Wherein, the method also includes:
所述第一设备接收源端第二设备发送的第一消息;所述第一消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第一标识;The first device receives the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, key-related information of the second device at the destination end, first identification;
得到第二量子密钥和/或第二量子随机数,以及第一标识;Obtain the second quantum key and/or the second quantum random number, and the first identification;
向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识。A second quantum key and/or a second quantum random number, and the first identification are provided to the second device at the source end and/or the second device at the destination end.
其中,所述向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识,包括以下几种中的一种:Wherein, the provision of the second quantum key and/or the second quantum random number, and the first identification to the source second device and/or the destination second device include one of the following:
向源端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使源端第二设备向目的端第二设备发送所述第一标识;Provide the second quantum key and/or the second quantum random number and the first identification to the source second device, so that the source second device sends the first identification to the destination second device;
向目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使目的端第二设备向源端第二设备所述第一标识;Provide the second quantum key and/or the second quantum random number and the first identification to the second device at the destination end, so that the second device at the destination end provides the first identification to the second device at the source end;
向源端第二设备以及目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识。A second quantum key and/or a second quantum random number and the first identification are provided to the source-side second device and the destination-side second device.
其中,所述第一设备从第一网络获取第一量子密钥和/或第一量子随机数,包括:Wherein, the first device obtains the first quantum key and/or the first quantum random number from the first network, including:
第一设备接收源端第二设备发送用于请求量子密钥的第二消息;The first device receives a second message sent by the second device at the source end for requesting a quantum key;
向QKD网络中的第一KM发送第四消息;Send the fourth message to the first KM in the QKD network;
接收第一KM发送的第一量子密钥和/或第一量子随机数。Receive the first quantum key and/or the first quantum random number sent by the first KM.
其中,所述第一量子密钥是第一KM在接收到所述第四消息后,与第二KM协商得到的。Wherein, the first quantum key is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
其中,所述方法还包括:Wherein, the method also includes:
第一设备确定需要第一KM提供第一量子密钥,或第一设备确定当前缓存池中的第一量子密钥不能满足使用需求。The first device determines that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current cache pool cannot meet the usage requirements.
其中,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;Wherein, the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
相应地,所述方法还包括:Correspondingly, the method also includes:
第一设备根据所述第二消息获得第二标识,或第一设备为本次请求分配第二标识。The first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing the second quantum key and/or the second quantum random number to the second device includes:
向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。Provide a second quantum key and/or a second quantum random number, and the second identification to the second device at the source end.
其中,所述方法还包括:Wherein, the method also includes:
向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。Send a third message to a third device that provides a quantum key service for the second device at the destination.
其中,所述第三消息中携带所述第二标识。Wherein, the third message carries the second identifier.
其中,所述第三消息用于:Wherein, the third message is used for:
使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
其中,所述方法还包括:Wherein, the method also includes:
第一设备接收源端第二设备发送用于请求量子密钥的第二消息;The first device receives a second message sent by the second device at the source end for requesting a quantum key;
从缓存池中获取第一量子密钥和/或第一量子随机数。Obtain the first quantum key and/or the first quantum random number from the cache pool.
其中,所述方法还包括:Wherein, the method also includes:
第一设备将从第一网络处获取的第一量子密钥和/或第一量子随机数存储,得到所述缓存池;The first device stores the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool;
其中,所述缓存池中的第一量子密钥,是QKD网络中的第一KM与第二KM协商得到的。The first quantum key in the cache pool is obtained through negotiation between the first KM and the second KM in the QKD network.
其中,所述方法还包括:Wherein, the method also includes:
第一设备确定从缓存池中获取第一量子密钥。The first device determines to obtain the first quantum key from the cache pool.
其中,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;Wherein, the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
相应地,所述方法还包括: Correspondingly, the method also includes:
第一设备根据所述第二消息获得第二标识,或第一设备为本次密钥服务分配第二标识。The first device obtains the second identity according to the second message, or the first device allocates the second identity for this key service.
其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing the second quantum key and/or the second quantum random number to the second device includes:
向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。Provide a second quantum key and/or a second quantum random number, and the second identification to the second device at the source end.
其中,所述方法还包括:Wherein, the method also includes:
向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。Send a third message to a third device that provides a quantum key service for the second device at the destination.
其中,所述第三消息中携带所述第二标识。Wherein, the third message carries the second identifier.
其中,所述第三消息用于:Wherein, the third message is used for:
使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
其中,所述第三消息中携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。Wherein, the third message carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
其中,所述第三标识用于:Wherein, the third identifier is used for:
使得第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。The third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
其中,所述方法还包括:Wherein, the method also includes:
接收第三设备发送的第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。Receive a third identification sent by a third device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing the second quantum key and/or the second quantum random number to the second device includes:
向第二设备提供第二量子密钥和/或第二量子随机数,所述第二量子密钥和/或第二量子随机数用于被第二设备使用进行安全应用。A second quantum key and/or a second quantum random number are provided to the second device for use by the second device for security applications.
其中,所述第二量子密钥和/或第二量子随机数用于作为会话密钥、密钥保护密钥、根密钥、主密钥、加密存储密钥、认证密钥,被第二设备所使用。Wherein, the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, an encrypted storage key, and an authentication key, and are used by the second equipment used.
其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括以下情况中的至少一种: Wherein, providing the second quantum key and/or the second quantum random number to the second device includes at least one of the following situations:
向第二设备在线发送第二量子密钥和/或第二量子随机数;Send the second quantum key and/or the second quantum random number to the second device online;
向第二设备离线灌装第二量子密钥和/或第二量子随机数;Offline filling of the second quantum key and/or the second quantum random number into the second device;
通过有线的方式向第二设备提供第二量子密钥和/或第二量子随机数;Provide the second quantum key and/or the second quantum random number to the second device in a wired manner;
通过无线的方式向第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device in a wireless manner.
本公开实施例还提供一种量子保密通信装置,包括:An embodiment of the present disclosure also provides a quantum secure communication device, including:
处理模块,用于从第一网络获取第一量子密钥和/或第一量子随机数,或从本地获取第一量子密钥和/或第一量子随机数;A processing module, configured to obtain the first quantum key and/or the first quantum random number from the first network, or obtain the first quantum key and/or the first quantum random number locally;
发送模块,用于向第二设备提供第二量子密钥和/或第二量子随机数。A sending module, configured to provide the second quantum key and/or the second quantum random number to the second device.
本公开实施例还提供一种设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序,所述处理器执行所述程序时实现如上所述的方法。An embodiment of the present disclosure also provides a device, including a memory, a processor, and a program stored on the memory and executable on the processor. When the processor executes the program, the above method is implemented.
本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上所述方法中的步骤。Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, the steps in the above method are implemented.
本公开实施例还提供一种量子保密通信方法,包括;Embodiments of the present disclosure also provide a quantum secure communication method, including;
接收QKD网络中的第二KM发送的第一量子密钥和/或第量子随机数,或从缓存池中获取第一量子密钥和/或第一量子随机数;Receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or obtain the first quantum key and/or the first quantum random number from the buffer pool;
向目的端第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device at the destination.
其中,所述接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数,包括:Wherein, the receiving the first quantum key and/or the first quantum random number sent by the second KM in the QKD network includes:
向QKD网络中的第二KM发送第七消息,接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数;Send the seventh message to the second KM in the QKD network, and receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network;
或,通过监听模式,等待QKD网络中的第二KM发送第一量子密钥和/或第一量子随机数。Or, through listening mode, wait for the second KM in the QKD network to send the first quantum key and/or the first quantum random number.
其中,所述方法还包括:Wherein, the method also includes:
接收为源端第二设备提供量子密钥服务的第一设备发送的第三消息。Receive a third message sent by a first device that provides a quantum key service for a second source device.
其中,所述第三消息中还携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。Wherein, the third message also carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
其中,所述方法还包括:Wherein, the method also includes:
第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。The third device obtains the corresponding first quantum key and/or first quantum random number from the buffer pool according to the third identification.
其中,所述方法还包括:Wherein, the method also includes:
在接收到所述第三消息后,向第一设备发送第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。After receiving the third message, a third identification is sent to the first device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
其中,所述向目的端第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing the second quantum key and/or the second quantum random number to the second device at the destination includes:
主动向目的端第二设备提供第二量子密钥和/或第二量子随机数;Actively provide the second quantum key and/or the second quantum random number to the destination second device;
或,在接收到目的端第二设备发送的第五消息后,向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, after receiving the fifth message sent by the second device at the destination, provide the second quantum key and/or the second quantum random number to the second device at the destination.
其中,所述第三消息中携带第二标识。Wherein, the third message carries the second identifier.
其中,所述向目的端第二设备提供第二量子密钥和/或第二量子随机数,包括:Wherein, providing the second quantum key and/or the second quantum random number to the second device at the destination includes:
第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;The third device provides the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when receiving the fifth message carrying the second identifier sent by the second device at the destination, the third device provides the second quantum key and/or the second quantum key at the destination according to the second identifier. Second quantum random number.
本公开实施例还提供一种量子保密通信装置,包括:An embodiment of the present disclosure also provides a quantum secure communication device, including:
接收单元,用于接收QKD网络中的第二KM发送的第一量子密钥和/或第量子随机数,或从缓存池中获取第一量子密钥和/或第一量子随机数;A receiving unit, configured to receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or to obtain the first quantum key and/or the first quantum random number from the buffer pool;
发送单元,用于向目的端第二设备提供第二量子密钥和/或第二量子随机数。A sending unit, configured to provide the second quantum key and/or the second quantum random number to the second device at the destination.
本公开实施例还提供一种设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序,所述处理器执行所述程序时实现如上所述的方法。An embodiment of the present disclosure also provides a device, including a memory, a processor, and a program stored on the memory and executable on the processor. When the processor executes the program, the above method is implemented.
本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上所述的方法中的步骤。Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When the program is executed by a processor, the steps in the method as described above are implemented.
本公开实施例还提供一种量子密码服务网络,包括若干个如上所述的第一设备,和/或若干个如上所述的第三设备。 Embodiments of the present disclosure also provide a quantum cryptography service network, including several first devices as described above, and/or several third devices as described above.
本公开实施例还提供一种量子保密通信系统,包括:如上所述的量子密码服务网络、第一网络以及用户网络。Embodiments of the present disclosure also provide a quantum secure communication system, including: the quantum cryptography service network, the first network and the user network as described above.
本公开的上述技术方案至少具有如下有益效果:The above technical solution of the present disclosure has at least the following beneficial effects:
本公开实施例的量子保密通信方法和设备、量子密码服务网络和量子保密通信系统中,通过第一设备以松耦合的方式实现用户网络和第一网络的融合对接,从而满足未来网络及业务对于量子密码多样化、大规模应用的需求。In the quantum secure communication method and device, quantum cryptography service network and quantum secure communication system of the embodiments of the present disclosure, the integration and docking of the user network and the first network are realized in a loosely coupled manner through the first device, thereby meeting the requirements of future networks and services. The demand for diversified and large-scale applications of quantum cryptography.
附图说明Description of the drawings
图1表示当前技术中的量子保密通信网络的结构示意图;Figure 1 shows a schematic structural diagram of a quantum secure communication network in current technology;
图2表示本公开实施例提供的量子保密通信方法的步骤流程图之一;Figure 2 shows one of the step flow charts of the quantum secure communication method provided by the embodiment of the present disclosure;
图3表示本公开实施例提供的量子保密通信方法的步骤流程图之二;Figure 3 shows the second step flow chart of the quantum secure communication method provided by the embodiment of the present disclosure;
图4表示本公开实施例提供的量子保密通信系统结构示意图;Figure 4 shows a schematic structural diagram of a quantum secure communication system provided by an embodiment of the present disclosure;
图5表示本公开实施例提供的量子密码服务中心服务区域示意图;Figure 5 shows a schematic diagram of the service area of the quantum cryptography service center provided by the embodiment of the present disclosure;
图6表示本公开实施例提供的量子保密通信方法的示例图;Figure 6 shows an example diagram of a quantum secure communication method provided by an embodiment of the present disclosure;
图7表示本公开实施例提供的量子保密通信方法的步骤流程图之三;Figure 7 shows the third step flow chart of the quantum secure communication method provided by the embodiment of the present disclosure;
图8表示本公开实施例中本地量子密码服务及量子保密通信处理的示意图;Figure 8 shows a schematic diagram of local quantum cryptography services and quantum secure communication processing in an embodiment of the present disclosure;
图9表示本公开实施例中跨区域量子密码服务及量子保密通信处理的示意图之一;Figure 9 shows one of the schematic diagrams of cross-region quantum cryptography service and quantum secure communication processing in an embodiment of the present disclosure;
图10表示本公开实施例中跨区域量子密码服务及量子保密通信处理的示意图之二;Figure 10 shows the second schematic diagram of cross-regional quantum cryptography service and quantum secure communication processing in the embodiment of the present disclosure;
图11表示本公开实施例提供的量子保密通信装置的结构示意图之一;Figure 11 shows one of the structural schematic diagrams of the quantum secure communication device provided by an embodiment of the present disclosure;
图12表示本公开实施例提供的第一设备的结构示意图;Figure 12 shows a schematic structural diagram of the first device provided by an embodiment of the present disclosure;
图13表示本公开实施例提供的量子保密通信装置的结构示意图之二;Figure 13 shows the second structural schematic diagram of the quantum secure communication device provided by the embodiment of the present disclosure;
图14表示本公开实施例提供的第三设备的结构示意图。Figure 14 shows a schematic structural diagram of a third device provided by an embodiment of the present disclosure.
具体实施方式Detailed ways
为使本公开要解决的技术问题、技术方案和优点更加清楚,下面将结合附图及具体实施例进行详细描述。 In order to make the technical problems, technical solutions and advantages to be solved by the present disclosure clearer, a detailed description will be given below with reference to the accompanying drawings and specific embodiments.
如图1所示,目前的一种量子保密通信网络由提供密钥分发能力的量子密钥分发(Quantum Key Distribution,QKD)网络和利用QKD网络分发的密钥实现密码应用的用户网络组成。QKD网络部分包括量子层、密钥管理层、QKD网络(QKD Network,QKDN)控制层以及QKDN网管层组成。用户网络部分包括应用层和用户网络网管层。As shown in Figure 1, a current quantum secure communication network consists of a Quantum Key Distribution (QKD) network that provides key distribution capabilities and a user network that uses keys distributed by the QKD network to implement cryptographic applications. The QKD network part includes the quantum layer, key management layer, QKD Network (QKDN, QKDN) control layer and QKDN network management layer. The user network part includes the application layer and the user network management layer.
在业务面,QKDN密钥管理层是连接QKD网络与用户网络的桥梁(QKDN网管层与用户网络网管层通过Mu参考点也有对接,但属于管理面范畴,不在本专利的讨论范围之内)。它负责接收、存储量子层QKD模组生成的量子密钥并进行全生命周期的管理;完成量子密钥远距离中继,实现QKD端到端密钥分发;通过Ak参考点/Ak接口将通过QKD网络生成并在通信两端同步好的量子密钥提供给用户网络的应用使用,从而使通信双方的应用程序能够利用QKD网络提供的量子密钥实现安全通信。这里,Ak参考点十分关键,它负责连接密码应用程序(Application,APP)与密钥管理层的密钥供应代理(Key Supply Agent,KSA)功能模块,其主要功能是负责密码应用与KSA间的相互认证,以及KSA向密码应用提供量子密钥。On the business side, the QKDN key management layer is a bridge connecting the QKD network and the user network (the QKDN network management layer and the user network network management layer are also connected through the Mu reference point, but they belong to the management plane and are not within the scope of this patent). It is responsible for receiving and storing the quantum keys generated by the quantum layer QKD module and managing the entire life cycle; completing the long-distance relay of quantum keys and realizing QKD end-to-end key distribution; passing through the Ak reference point/Ak interface. The quantum keys generated by the QKD network and synchronized at both ends of the communication are provided to the applications of the user network, so that the applications on both sides of the communication can use the quantum keys provided by the QKD network to achieve secure communication. Here, the Ak reference point is very critical. It is responsible for connecting the cryptographic application (Application, APP) and the key supply agent (KSA) function module of the key management layer. Its main function is to be responsible for the communication between the cryptographic application and the KSA. Mutual authentication, and KSA provide quantum keys to cryptographic applications.
但在这一架构下如何利用Ak接口进行量子密钥的生成、分发等全生命周期的管理是亟待解决的问题。However, how to use the Ak interface to manage the entire life cycle of quantum key generation and distribution under this architecture is an issue that needs to be solved urgently.
本公开实施例提供了一种量子保密通信方法,如图2所示,包括:The embodiment of the present disclosure provides a quantum secure communication method, as shown in Figure 2, including:
S201、第一设备从本地获取第一量子密钥和/或第一量子随机数;S201. The first device obtains the first quantum key and/or the first quantum random number locally;
S202、向第二设备提供第二量子密钥和/或第二量子随机数。S202. Provide the second quantum key and/or the second quantum random number to the second device.
其中,这里的第一设备可以为QKD网络中的密钥管理器(Key Manager,KM)。此外,这里的QKD网络还可以被称为是量子密钥分发QKD网络、量子保密通信网络、量子通信网络、量子网络、网络层等。Among them, the first device here may be a Key Manager (Key Manager, KM) in the QKD network. In addition, the QKD network here can also be called quantum key distribution QKD network, quantum secure communication network, quantum communication network, quantum network, network layer, etc.
这里的第二设备是使用量子密钥和/或量子随机数开展保密通信、安全认证、安全存储等各类安全设备,进而可实现多样化的业务应用。在量子保密通信网络功能架构模型中,相对于量子密钥分发网络,第二设备属于用户网络的应用层。具体的业务应用可以例如,骨干线路上的数据传输,数据中心的异地灾备,移动或固定终端用户的保密通信(如,加密语音电话、加密通话、加密语音通话、加密视频电话、加密视频通话、加密即时消息、加密对讲、加密视频会议等),终端与服务器之间的互联网数字业务(如,电子政务、电子金融、电子能源等),广域环境下基于卫星的空天地海一体化安全通信(基于互联网安全协议(Internet Protocol Security,IPSec)、安全传输层协议(Transport Layer Security,TLS)等),敏感信息安全存储等等,它们都将进一步与量子保密通信对接,借助量子信息技术提高自身的业务安全能力。在一些实施例中,向第二设备发送量子密钥和/或量子随机数也可以被称为是向第二应用、第二网元、第二功能、第二实体、第二机构、第二单元、第二模块、第二组件等发送量子密钥和/或量子随机数,其原理在于使用第一设备提供的量子密钥和/或量子随机数进行业务处理,确保信息的安全性。第二设备可以位于量子保密通信网络的用户网络层或应用层,或量子密码应用层。The second device here is a variety of security devices that use quantum keys and/or quantum random numbers to carry out secure communications, secure authentication, secure storage, etc., thereby enabling diversified business applications. In the quantum secure communication network functional architecture model, relative to the quantum key distribution network, the second device belongs to the application layer of the user network. Specific business applications can be, for example, data transmission on backbone lines, off-site disaster recovery in data centers, secure communications for mobile or fixed end users (such as encrypted voice calls, encrypted calls, encrypted voice calls, encrypted video calls, encrypted video calls) , encrypted instant messaging, encrypted intercom, encrypted video conferencing, etc.), Internet digital services between terminals and servers (such as e-government, e-finance, e-energy, etc.), satellite-based integration of air, space, earth and sea in a wide-area environment Secure communication (based on Internet Protocol Security (IPSec), Transport Layer Security (TLS), etc.), secure storage of sensitive information, etc., they will all be further connected with quantum confidential communication, with the help of quantum information technology Improve your own business security capabilities. In some embodiments, sending the quantum key and/or the quantum random number to the second device may also be referred to as sending the quantum key and/or the quantum random number to the second application, the second network element, the second function, the second entity, the second organization, the second The unit, second module, second component, etc. send the quantum key and/or quantum random number, and the principle is to use the quantum key and/or quantum random number provided by the first device for business processing to ensure the security of the information. The second device may be located at the user network layer or application layer of the quantum secure communication network, or at the quantum cryptography application layer.
这里的向第二设备发送所述量子密钥也可以是主动推送/发送,也即第一设备会主动向第二设备推送第二量子密钥和/第二量子随机数,进一步地可以是周期性推送或者事件触发推送等;当然也可以被动的发送,也即第二设备会主动向第一设备获取第二量子密钥和/第二量子随机数,进而第一设备会向第二设备发送第二量子密钥和/第二量子随机数。The sending of the quantum key to the second device here may also be an active push/send, that is, the first device will actively push the second quantum key and/or the second quantum random number to the second device, and further may be periodic. Sexual push or event-triggered push, etc.; of course, it can also be sent passively, that is, the second device will actively obtain the second quantum key and/or the second quantum random number from the first device, and then the first device will send the second quantum key to the second device. Second quantum key and/second quantum random number.
此外,这里的密钥是指某个用来完成加密、解密、完整性验证等密码学应用的秘密信息。在对称密码学中,加密和解密用的是同一个密钥,因此密钥需要保密。而在公钥密码学中,加密和解密用的密钥不同:一个是公开的,称为公钥;另一个保密,称为私钥。量子密钥是基于量子力学原理,根据量子微粒状态的不确定性产生的密钥,量子密钥具有真随机性。量子随机数是基于量子力学原理,根据量子微粒状态的不确定性产生的随机数序列,具有真随机性。量子随机数可以在实际应用中可以在信道中公开传输。在本公开中,量子密钥和量子随机数的等价的,均可以在本公开提供的各个实施例中使用,为简化描述,后续均以量子密钥来进行举例说明,但可以理解的是,举例说明的内容对于量子随机数也同样适用。此外,在本公开中,密钥也可以被称为是密码,其含义相同。In addition, the key here refers to a certain secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification. In symmetric cryptography, the same key is used for encryption and decryption, so the key needs to be kept secret. In public key cryptography, the keys used for encryption and decryption are different: one is public, called the public key; the other is kept secret, called the private key. Quantum keys are keys generated based on the principles of quantum mechanics and based on the uncertainty of the state of quantum particles. Quantum keys have true randomness. Quantum random numbers are based on the principles of quantum mechanics and are random number sequences generated based on the uncertainty of the state of quantum particles. They are truly random. Quantum random numbers can be transmitted openly in channels in practical applications. In this disclosure, the equivalent of quantum keys and quantum random numbers can be used in various embodiments provided by this disclosure. To simplify the description, quantum keys will be used as examples in the following, but it can be understood that , the content explained with examples is also applicable to quantum random numbers. Furthermore, in the present disclosure, a key may also be called a password, which has the same meaning.
这里的第一量子密钥与第二量子密钥可以是相同的,也即第一设备本地提供的量子密钥发送给了第二设备。具体来说,可以是第一设备在从本地获取第一量子密钥后,实时将第一量子密钥提供给第二设备;也可以是第一设备本地生成第一量子密钥,并进行存储,后续再将存储的第一量子密钥提供给第二设备。The first quantum key and the second quantum key here may be the same, that is, the quantum key provided locally by the first device is sent to the second device. Specifically, the first device may provide the first quantum key to the second device in real time after obtaining the first quantum key locally; it may also be that the first device locally generates the first quantum key and stores it. , and then provide the stored first quantum key to the second device.
这里的第一量子密钥与第二量子密钥也可以是不同的,对于不同的情况可能有如下几种:1)第一设备从本地获取了第一量子密钥后,对密钥进行一系列处理得到第二量子密钥,再将第二量子密钥提供给第二设备;2)可以理解的是,本地可以生成多个第一量子密钥,第一设备在多个第一量子密钥中选择至少一个第二量子密钥,也即第二量子密钥可以是第一量子密钥的子集,第一设备再将第二量子密钥提供给第二设备;进一步地,第一设备在本地生成了多个第一量子密钥后,可以实时进行密钥选择得到第二量子密钥,也可以是先将生成的多个第一量子密钥进行存储,在存储的第一量子密钥集合中选择得到第二量子密钥;3)可以为方式1和方式2的组合,也即先处理后选择,或先选择后处理。The first quantum key and the second quantum key here can also be different. For different situations, there may be the following: 1) After the first device obtains the first quantum key locally, it performs a verification on the key. The second quantum key is obtained through a series of processes, and then the second quantum key is provided to the second device; 2) It can be understood that multiple first quantum keys can be generated locally, and the first device can generate multiple first quantum keys locally. Select at least one second quantum key from the key, that is, the second quantum key can be a subset of the first quantum key, and the first device then provides the second quantum key to the second device; further, the first After the device generates multiple first quantum keys locally, it can perform key selection in real time to obtain the second quantum key, or it can first store the multiple generated first quantum keys, and then store the first quantum keys in the stored first quantum keys. The second quantum key is obtained by selecting from the key set; 3) It can be a combination of method 1 and method 2, that is, processing first and then selecting, or selecting first and then processing.
第一量子随机数与第二量子随机数之间的关系与第一量子密钥与第二量子密钥之间的关系是类似的,在此不再赘述。The relationship between the first quantum random number and the second quantum random number is similar to the relationship between the first quantum key and the second quantum key, and will not be described again here.
在一些实施例中,步骤S202中向第二设备提供第二量子密钥和/或第二量子随机数,包括:In some embodiments, providing the second quantum key and/or the second quantum random number to the second device in step S202 includes:
S2021、向第二设备提供第二量子密钥和/或第二量子随机数,所述第二量子密钥和/或第二量子随机数用于被第二设备使用进行安全应用。S2021. Provide the second quantum key and/or the second quantum random number to the second device, where the second quantum key and/or the second quantum random number are used by the second device for security applications.
其中,这里的安全应用可以为保密通信、安全认证、加密存储等各类应用。Among them, the security applications here can be various applications such as confidential communication, security authentication, and encrypted storage.
进一步地,这里的第二量子密钥和/或第二量子随机数用于作为会话密钥、密钥保护密钥、根密钥、主密钥、加密存储密钥、认证密钥,被第二设备所使用。也即第二量子密钥的作用由第二设备根据具体的安全应用形态来决定。第一设备仅负责提供第二量子密钥。Further, the second quantum key and/or the second quantum random number here are used as a session key, a key protection key, a root key, a master key, an encryption storage key, and an authentication key. Two devices are used. That is to say, the role of the second quantum key is determined by the second device according to the specific security application form. The first device is only responsible for providing the second quantum key.
在一些实施例中,步骤S202中向第二设备提供第二量子密钥和/或第二量子随机数,包括以下情况中的至少一种:In some embodiments, providing the second quantum key and/or the second quantum random number to the second device in step S202 includes at least one of the following situations:
向第二设备在线发送第二量子密钥和/或第二量子随机数;Send the second quantum key and/or the second quantum random number to the second device online;
向第二设备离线灌装第二量子密钥和/或第二量子随机数;Offline filling of the second quantum key and/or the second quantum random number into the second device;
通过有线的方式向第二设备提供第二量子密钥和/或第二量子随机数; Provide the second quantum key and/or the second quantum random number to the second device in a wired manner;
通过无线的方式向第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device in a wireless manner.
然而,目前基于QKD技术的量子保密通信网络系统技术主要围绕QKD量子密钥分发网络的组网架构、模块功能、操作流程、通信协议、设备及接口等方面展开,缺乏对用户网络及业务应用层面的研究。由于图1所示的QKD网络架构设计时所设想的量子密码应用场景较为单一,因此所采用的QKD密钥管理层技术方案也较为简单,只是基于密码应用APP及QKD密钥流的标识来区分不同的业务应用,而没有对业务、用户进行不同类型层次及粗细粒度的划分与管理,并不能满足未来业务多样化、大规模发展的需要。However, the current quantum secure communication network system technology based on QKD technology mainly focuses on the networking architecture, module functions, operating procedures, communication protocols, equipment and interfaces of the QKD quantum key distribution network, etc., and lacks the user network and business application levels. Research. Since the quantum cryptography application scenario envisioned when designing the QKD network architecture shown in Figure 1 is relatively single, the QKD key management technology solution used is also relatively simple, and is only distinguished based on the identification of the cryptographic application APP and QKD key stream. Different business applications, without dividing and managing businesses and users at different levels and coarse and fine granularity, cannot meet the needs of future business diversification and large-scale development.
针对上述问题,本公开实施例提出一种量子保密通信应用服务系统架构及方法,以便更加有效地满足未来多样化业务及大规模用户对于量子密码的应用需要。In response to the above problems, embodiments of the present disclosure propose a quantum secure communication application service system architecture and method to more effectively meet the application needs of future diversified businesses and large-scale users for quantum cryptography.
本公开实施例提供了又一种量子保密通信方法,如图3所示,包括:The embodiment of the present disclosure provides yet another quantum secure communication method, as shown in Figure 3, including:
S301、第一设备从第一网络获取第一量子密钥和/或第一量子随机数,或从本地获取第一量子密钥和/或第一量子随机数;S301. The first device obtains the first quantum key and/or the first quantum random number from the first network, or obtains the first quantum key and/or the first quantum random number locally;
S302、向第二设备提供第二量子密钥和/或第二量子随机数。S302. Provide the second quantum key and/or the second quantum random number to the second device.
本公开实施例提供的方法其所应用的系统架构可以如图4所示,参见图4,需要说明的是:The system architecture to which the method provided by the embodiment of the present disclosure is applied can be shown in Figure 4. Referring to Figure 4, it should be noted that:
(1)第一设备可以为量子密钥服务中心,也即提供量子密钥服务的设备,也可以有其他的名称,例如量子密钥服务器、量子密钥服务平台、量子密钥服务设备、量子密钥管理设备、量子密钥云服务平台或系统、量子(保密)通信服务中心、量子基础密钥管理中心、量子密码服务器、量子密码服务中心、量子密码服务平台、量子密钥管理设备、量子基础密码管理中心等;(1) The first device can be a quantum key service center, that is, a device that provides quantum key services, or it can have other names, such as quantum key server, quantum key service platform, quantum key service equipment, quantum Key management equipment, quantum key cloud service platform or system, quantum (confidential) communication service center, quantum basic key management center, quantum cryptography server, quantum cryptography service center, quantum cryptography service platform, quantum key management equipment, quantum Basic password management center, etc.;
(2)第一网络可以为量子密钥分发QKD网络、量子保密通信网络、量子通信网络、量子网络,也可以称为第一网络层、QKD网络层;(2) The first network can be a quantum key distribution QKD network, a quantum secure communication network, a quantum communication network, a quantum network, and can also be called the first network layer or the QKD network layer;
(3)第二设备是使用量子密钥和/或量子随机数开展保密通信、安全认证、安全存储等各类安全设备,进而可实现多样化的业务应用。在量子保密通信网络功能架构模型中,相对于量子密钥分发网络,第二设备属于用户网络的应用层。具体的业务应用可以例如,骨干线路上的数据传输,数据中心的异地灾备,移动或固定终端用户的保密通信(如,加密语音电话、加密通话、加密语音通话、加密视频电话、加密视频通话、加密即时消息、加密对讲、加密视频会议等),终端与服务器之间的互联网数字业务(如,电子政务、电子金融、电子能源等),广域环境下基于卫星的空天地海一体化安全通信(基于IPSec、TLS等),敏感信息安全存储等等,它们都将进一步与量子保密通信对接,借助量子信息技术提高自身的业务安全能力。(3) The second device is a security device that uses quantum keys and/or quantum random numbers to carry out various security devices such as secure communication, secure authentication, and secure storage, thereby enabling diversified business applications. In the quantum secure communication network functional architecture model, relative to the quantum key distribution network, the second device belongs to the application layer of the user network. Specific business applications can be, for example, data transmission on backbone lines, off-site disaster recovery in data centers, secure communications for mobile or fixed end users (such as encrypted voice calls, encrypted calls, encrypted voice calls, encrypted video calls, encrypted video calls) , encrypted instant messaging, encrypted intercom, encrypted video conferencing, etc.), Internet digital services between terminals and servers (such as e-government, e-finance, e-energy, etc.), satellite-based integration of air, space, earth and sea in a wide-area environment Secure communications (based on IPSec, TLS, etc.), secure storage of sensitive information, etc., will all be further integrated with quantum confidential communications and improve their business security capabilities with the help of quantum information technology.
在一些实施例中,向第二设备发送量子密钥和/或量子随机数也可以被称为是向第二应用、第二网元、第二功能、第二实体、第二机构、第二单元、第二模块、第二组件等发送量子密钥和/或量子随机数,其原理在于使用第一设备提供的量子密钥和/或量子随机数进行业务处理,确保信息的安全性。In some embodiments, sending the quantum key and/or the quantum random number to the second device may also be referred to as sending the quantum key and/or the quantum random number to the second application, the second network element, the second function, the second entity, the second organization, the second The unit, second module, second component, etc. send the quantum key and/or quantum random number, and the principle is to use the quantum key and/or quantum random number provided by the first device for business processing to ensure the security of the information.
第二设备可以位于量子保密通信网络的用户网络层或应用层,或量子密码应用层;The second device may be located at the user network layer or application layer of the quantum secure communication network, or at the quantum cryptography application layer;
(4)第一设备位于第一网络和第二设备之间,可形成一个独立的中间层,起到承上启下的作用。该中间层可称为量子密码(应用)服务层,或称为量子(保密)通信应用服务层,或者量子基础密钥管理层等等;(4) The first device is located between the first network and the second device and can form an independent middle layer to serve as a link between the previous network and the second device. This intermediate layer can be called the quantum cryptography (application) service layer, or the quantum (secrecy) communication application service layer, or the quantum basic key management layer, etc.;
(5)第一设备从第一网络可以是主动获取,例如第一设备主动向第一网络请求获取第一量子密钥和/或第一量子随机数,进一步的可以是周期性获取或者事件触发获取等;当然也可以被动获取,也即第一网络主动向第一设备推送第一量子密钥和/或第一量子随机数,也可以是周期性推送或者事件触发推送等;(5) The first device can actively obtain the first quantum key and/or the first quantum random number from the first network. For example, the first device actively requests the first network to obtain the first quantum key and/or the first quantum random number. Further, the first device can obtain it periodically or by event triggering. Acquisition, etc.; of course, it can also be acquired passively, that is, the first network actively pushes the first quantum key and/or the first quantum random number to the first device, or it can be a periodic push or an event-triggered push, etc.;
(6)向第二设备发送所述量子密钥也可以是主动推送/发送,也即第一设备会主动向第二设备推送第二量子密钥和/第二量子随机数,进一步地可以是周期性推送或者事件触发推送等;当然也可以被动的发送,也即第二设备会主动向第一设备获取第二量子密钥和/第二量子随机数,进而第一设备会向第二设备发送第二量子密钥和/第二量子随机数。(6) Sending the quantum key to the second device can also be an active push/send, that is, the first device will actively push the second quantum key and/or the second quantum random number to the second device. Further, it can be Periodic push or event-triggered push, etc.; of course, it can also be sent passively, that is, the second device will actively obtain the second quantum key and/or the second quantum random number from the first device, and then the first device will send the second quantum key to the second device. Send the second quantum key and/or the second quantum random number.
(7)密钥是指某个用来完成加密、解密、完整性验证等密码学应用的秘密信息。在对称密码学中,加密和解密用的是同一个密钥,因此密钥需要保密。而在公钥密码学中,加密和解密用的密钥不同:一个是公开的,称为公钥;另一个保密,称为私钥。量子密钥是基于量子力学原理,根据量子微粒状态的不确定性产生的密钥,量子密钥具有真随机性。量子随机数是基于量子力学原理,根据量子微粒状态的不确定性产生的随机数序列,具有真随机性。量子随机数可以在实际应用中可以在信道中公开传输。(7) Key refers to a certain secret information used to complete cryptographic applications such as encryption, decryption, and integrity verification. In symmetric cryptography, the same key is used for encryption and decryption, so the key needs to be kept secret. In public key cryptography, the keys used for encryption and decryption are different: one is public, called the public key; the other is kept secret, called the private key. Quantum keys are keys generated based on the principles of quantum mechanics and based on the uncertainty of the state of quantum particles. Quantum keys have true randomness. Quantum random numbers are based on the principles of quantum mechanics and are random number sequences generated based on the uncertainty of the state of quantum particles. They are truly random. Quantum random numbers can be transmitted openly in channels in practical applications.
在本公开中,量子密钥和量子随机数的等价的,均可以在本公开提供的各个实施例中使用,为简化描述,后续均以量子密钥来进行举例说明,但可以理解的是,举例说明的内容对于量子随机数也同样适用。In this disclosure, the equivalent of quantum keys and quantum random numbers can be used in various embodiments provided by this disclosure. To simplify the description, quantum keys will be used as examples in the following, but it can be understood that , the content explained with examples is also applicable to quantum random numbers.
在本公开中,密钥也可以被称为是密码,其含义相同。In this disclosure, a key may also be referred to as a password, which has the same meaning.
(8)第一量子密钥是QKD网络提供给第一设备的,第二量子密钥是第一设备提供给第二设备的。(8) The first quantum key is provided by the QKD network to the first device, and the second quantum key is provided by the first device to the second device.
第一量子密钥与第二量子密钥可以是相同的,也即第一设备将QKD网络提供的量子密钥发送给了第二设备。具体来说,可以是第一设备在收到第一量子密钥后,实时将第一量子密钥提供给第二设备;也可以是第一设备在收到第一量子密钥后,先进行存储,后续再将存储的第一量子密钥提供给第二设备。The first quantum key and the second quantum key may be the same, that is, the first device sends the quantum key provided by the QKD network to the second device. Specifically, the first device may provide the first quantum key to the second device in real time after receiving the first quantum key; or the first device may, after receiving the first quantum key, first Store, and then provide the stored first quantum key to the second device.
当然第一量子密钥与第二量子密钥也可以是不同的,对于不同的情况可能有如下几种:1)第一设备从QKD网络获取了第一量子密钥后,对密钥进行一系列处理得到第二量子密钥,再将第二量子密钥提供给第二设备;2)可以理解的是,QKD网络会向第一设备提供多个第一量子密钥,第一设备从QKD网络获取了多个第一量子密钥后,在多个第一量子密钥中选择至少一个第二量子密钥,也即第二量子密钥可以是第一量子密钥的子集,第一设备再将第二量子密钥提供给第二设备;进一步地,第一设备在获取了多个第一量子密钥后,可以实时进行密钥选择得到第二量子密钥,也可以是先将多个第一量子密钥进行存储,在存储的第一量子密钥集合中选择得到第二量子密钥;3)可以为方式1和方式2的组合,也即先处理后选择,或先选择后处理。第一量子随机数与第二量子随机数之间的关系与第一量子密钥与第二量子密钥之间的关系是类似的,在此不再赘述。Of course, the first quantum key and the second quantum key can also be different. For different situations, there may be the following: 1) After the first device obtains the first quantum key from the QKD network, it performs a verification on the key. A series of processes are performed to obtain the second quantum key, and then the second quantum key is provided to the second device; 2) It can be understood that the QKD network will provide multiple first quantum keys to the first device, and the first device obtains the second quantum key from the QKD network. After the network obtains multiple first quantum keys, it selects at least one second quantum key among the multiple first quantum keys. That is, the second quantum key can be a subset of the first quantum keys. The first The device then provides the second quantum key to the second device; further, after acquiring multiple first quantum keys, the first device can perform key selection in real time to obtain the second quantum key, or it can first Store multiple first quantum keys, and select the second quantum key from the stored first quantum key set; 3) It can be a combination of method 1 and method 2, that is, process first and then select, or select first Post-processing. The relationship between the first quantum random number and the second quantum random number is similar to the relationship between the first quantum key and the second quantum key, and will not be described again here.
其中,对于第一设备需要存储多个第一量子密钥获得第一量子密钥缓存池的情况,这种方式能够有效确保满足第二设备对于量子密钥的应用需求。Among them, for the situation where the first device needs to store multiple first quantum keys to obtain a first quantum key cache pool, this method can effectively ensure that the application requirements of the second device for quantum keys are met.
具体来说,目前QKD网络主要以单光子为基本量子微粒,通过BB84或GG02协议在端节点之间进行密钥协商,性能非常有限,每秒钟大约只能协商生成几百至几千比特的密钥量。然而,上层第二设备所支持的应用多种多样,每种应用对于密钥的数量也有不同需求。为了达到理论上绝对安全的信息传输,实现一次一密,QKD网络需要能够支持大于数据传输速率的QKD密钥协商的能力。例如,采用自适应多码率(Adaptive Multi-Rate,AMR)方式进行编码的语音数据速率通常为4.75kbps~23.85kbps,显然QKD网络产生量子密钥的速率远远跟不上第二设备之间数据传输的速率。另外,在第二设备有多个业务并发或多个第二设备产生业务并发请求的情况下,也会出现对量子密钥的瞬时大量需求。由于QKD网络量子密钥协商速率较低,因此无法满足并发业务对于量子密钥的实时需求。Specifically, the current QKD network mainly uses single photons as the basic quantum particles, and performs key negotiation between end nodes through the BB84 or GG02 protocol. The performance is very limited. It can only negotiate and generate hundreds to thousands of bits per second. Key amount. However, the upper-layer second device supports a variety of applications, and each application also has different requirements for the number of keys. In order to achieve theoretically absolutely secure information transmission and realize one-time padding, the QKD network needs to be able to support QKD key negotiation capabilities that are greater than the data transmission rate. For example, the voice data rate encoded using the Adaptive Multi-Rate (AMR) method is usually 4.75kbps ~ 23.85kbps. Obviously, the rate of quantum key generation by the QKD network is far less than that between the second device The rate of data transfer. In addition, when the second device has multiple concurrent services or multiple second devices generate concurrent service requests, there will also be an instantaneous large demand for quantum keys. Due to the low quantum key negotiation rate of the QKD network, it cannot meet the real-time demand for quantum keys of concurrent services.
本公开实施例中通过位于QKD网络和第二设备之间的第一设备来解决这一问题。具体来说,一种可能的场景为:QKD网络虽然产生量子密钥的速率较慢,但其可以一直产生密钥,并不断的向第一设备发送。第一设备会将收到的多个第一量子密钥进行安全存储,形成密钥集合或密钥池。密钥集合/密钥池中可预先存储大量的QKD网络提供的量子密钥。第二设备也并非需要QKD网络实时协商的量子密钥来进行通信,因此当需要向第二设备提供量子密钥时,就可以在密钥集合或密钥池中选取预先协商好的QKD量子密钥提供给第二设备。通过这样的方式,就可以解决上述问题。In the embodiment of the present disclosure, this problem is solved by the first device located between the QKD network and the second device. Specifically, one possible scenario is that although the QKD network generates quantum keys at a slow rate, it can always generate keys and continuously send them to the first device. The first device will securely store the multiple first quantum keys received to form a key set or key pool. A large number of quantum keys provided by the QKD network can be pre-stored in the key collection/key pool. The second device does not need the quantum key negotiated in real time by the QKD network to communicate. Therefore, when it is necessary to provide the second device with a quantum key, it can select the pre-negotiated QKD quantum key from the key set or key pool. The key is provided to the second device. In this way, the above problems can be solved.
总而言之,本公开实施例提出在量子密钥分发网络与用户网络两层之间增加一个中间层来实现底层量子网络与上层用户应用的融合对接。这里的中间层可称为量子密码服务层,或称为量子(保密)通信应用服务层,或者量子基础密钥管理层等等,它可由一个或者多个量子密码服务中心、云服务平台或系统(或称为:量子(保密)通信服务中心、量子基础密钥管理中心等)组成,进而形成量子密码服务网络或者量子保密通信服务网络。In summary, the embodiments of this disclosure propose to add an intermediate layer between the quantum key distribution network and the user network layer to realize the integration and docking of the underlying quantum network and upper-layer user applications. The middle layer here can be called the quantum cryptography service layer, or the quantum (secret) communication application service layer, or the quantum basic key management layer, etc. It can be composed of one or more quantum cryptography service centers, cloud service platforms or systems. (Also known as: quantum (secrecy) communication service center, quantum basic key management center, etc.), thereby forming a quantum cryptography service network or a quantum confidentiality communication service network.
量子密码服务层将原先紧耦合的QKD量子网络层和量子密码应用层分离,降低两者间的耦合程度,并承上启下,便于QKD网络与应用的融合发展。它一方面提取底层QKD网络的基础共性能力,并对共性能力统一封装,形成可供上层直接调用的标准服务接口,从而屏蔽了底层量子QKD网络的系统架构、拓扑结构、工作机制、设备差异等实现细节的影响,使底层量子QKD网络对于上层量子密码应用来说透明,简化了上层对QKD能力管理应用的复杂度;另一方面,它对上层不同网络、业务场景下的海量用户进行管控,并对上层量子密码应用需求进行整合,形成统一的量子密码应用需求向底层QKD网络提出,便于Ak接口的实现,从而避免上层海量、多样化业务的直接访问而给底层量子网络带来的冲击和影响,有利于各种量子密码业务应用的快速增殖与发展。每一种新增业务仅需要与中间层对接适配即可获得量子安全能力,不再要求底层QKD网络与新增业务适配,使QKD网络与业务实现的复杂度同时得到降低。The quantum cryptography service layer separates the original tightly coupled QKD quantum network layer and quantum cryptography application layer to reduce the degree of coupling between the two and serve as a link to facilitate the integrated development of QKD networks and applications. On the one hand, it extracts the basic common capabilities of the underlying QKD network, and uniformly encapsulates the common capabilities to form a standard service interface that can be directly called by the upper layer, thus shielding the system architecture, topology, working mechanism, equipment differences, etc. of the underlying quantum QKD network. The impact of implementation details makes the underlying quantum QKD network transparent to upper-layer quantum cryptography applications, simplifying the complexity of upper-layer QKD capability management applications; on the other hand, it manages and controls massive users in different upper-layer networks and business scenarios. Integrate the application requirements of upper-layer quantum cryptography to form unified quantum cryptography application requirements and propose them to the underlying QKD network to facilitate the implementation of the Ak interface, thus avoiding the impact and impact on the underlying quantum network caused by the direct access of massive and diversified services in the upper layer. The impact is conducive to the rapid proliferation and development of various quantum cryptography business applications. Each new business only needs to be connected and adapted with the middle layer to obtain quantum security capabilities. The underlying QKD network is no longer required to adapt to the new business, which reduces the complexity of QKD network and business implementation at the same time.
此外,参见图4,量子密码服务中心是量子密码服务层的核心实体。在南向,它通过Ak接口与量子QKD网络对接,获取QKD网络生成的对称密钥或者量子随机数。在北向,它通过As接口与量子密码应用层的各种业务应用对接,为其按需提供量子密码。与此同时,量子密码服务中心也可在本地部署量子随机数发生器,用于生成量子随机数及密钥,供上层各种业务应用使用。In addition, referring to Figure 4, the quantum cryptography service center is the core entity of the quantum cryptography service layer. In the southbound direction, it connects to the quantum QKD network through the Ak interface and obtains the symmetric key or quantum random number generated by the QKD network. In the northbound direction, it interfaces with various business applications of the quantum cryptography application layer through the As interface to provide quantum cryptography on demand. At the same time, the quantum cryptography service center can also deploy quantum random number generators locally to generate quantum random numbers and keys for use by various upper-layer business applications.
每个量子密码服务中心都有一定的服务范围,它通过Ak接口与区域内的QKD量子网络密钥管理设备节点(例如,量子密钥管理器(Key Manager,KM))对接,为区域内的用户提供量子密码服务,如图5所示。例如,部署在区域A(例如,北京)的量子密码服务中心允许北京的网络设备及业务应用(如,设备A和B)接入,为其提供服务。部署在区域B(例如,上海)的量子密码服务中心为上海的用户(如,设备C)提供服务,以此类推。因此,量子密码服务中心按服务区对区域内的用户进行管理维护,并提供量子密码服务。包括,完成上层用户及业务的注册、开通,支持用户量子密码业务的变更/注销,维护用户业务状态信息,对接入用户进行安全身份认证,量子密码业务授权,为用户提供量子密码安全介质(如,通用串行总线(Universal Serial Bus,USB)密钥(Key)、闪存(Trans Flash,TF)密码卡、用户身份识别卡(Subscriber Identity Module,SIM)卡、安全芯片等等),以离线方式为用户安全介质充注量子密钥,以在线方式为用户提供量子密码(包括,量子随机数、量子密钥等等)或量子密码安全服务(包括,基于量子密码的加密、解密、完整性保护/校验、数字签名/验签等密码保护)等等。Each quantum cryptography service center has a certain service scope. It interfaces with the QKD quantum network key management equipment node (for example, quantum key manager (KM)) in the area through the Ak interface to provide Users provide quantum cryptography services, as shown in Figure 5. For example, the quantum cryptography service center deployed in area A (for example, Beijing) allows Beijing's network equipment and business applications (for example, equipment A and B) to access and provide services. The quantum cryptography service center deployed in area B (for example, Shanghai) provides services to users in Shanghai (for example, device C), and so on. Therefore, the quantum cryptography service center manages and maintains users in the area according to service areas and provides quantum cryptography services. Including, completing the registration and activation of upper-level users and services, supporting the change/cancellation of user quantum cryptography services, maintaining user business status information, performing secure identity authentication for access users, authorizing quantum cryptography services, and providing users with quantum cryptography security media ( For example, Universal Serial Bus (USB) Key, Flash (Trans Flash, TF) password card, Subscriber Identity Module (SIM) card, security chip, etc.), to offline The method is to fill the user's security medium with quantum keys, and provide users with quantum cryptography (including quantum random numbers, quantum keys, etc.) or quantum cryptography security services (including encryption, decryption, and integrity based on quantum cryptography) online. Protection/verification, digital signature/signature verification and other password protection), etc.
量子密码服务中心之间互联互通以便通过QKD网络协商生成上层用户应用所需的量子密钥,因此多个(两个及其以上)量子密码服务中心可组建形成一张服务网络,它与底层QKD网络相对应,在广域范围为上层用户提供量子密码服务。Quantum cryptography service centers are interconnected to generate quantum keys required for upper-layer user applications through QKD network negotiation. Therefore, multiple (two or more) quantum cryptography service centers can be formed to form a service network, which communicates with the underlying QKD Corresponding to the network, quantum cryptography services are provided to upper-layer users in a wide area.
在一些实施方式中,本公开实施例提供的方法还包括:In some implementations, the method provided by the embodiment of the present disclosure further includes:
S301′第一设备判断目的端第二设备是否属于本区域节点。S301′ The first device determines whether the second device at the destination belongs to a node in this area.
其中,这里的域是指第一设备提供量子密钥服务的服务范围。此外,这里判断的步骤和第一设备从QKD网络获取第一量子密钥和/或第一量子随机数的步骤没有必然的先后顺序。The domain here refers to the service range in which the first device provides quantum key services. In addition, there is no necessary sequence between the steps of judgment here and the steps of the first device obtaining the first quantum key and/or the first quantum random number from the QKD network.
在具体实施时,源端第二设备要向目的端第二设备发起量子保密通信请求,此时源端第二设备需要向为其提供量子密钥服务的第一设备发起密钥请求,获取与目的端第二设备进行保密通信时使用的量子密钥。进而第一设备需要判断目的端第二设备是否属于本区域节点,根据判断结果来进行后续的处理。此外,源端还可以被称为是主动端,目的端还可以被称为是被动端。During the specific implementation, the second device at the source end needs to initiate a quantum confidential communication request to the second device at the destination end. At this time, the second device at the source end needs to initiate a key request to the first device that provides quantum key services to obtain and The quantum key used by the second device at the destination for secure communication. Furthermore, the first device needs to determine whether the second device at the destination belongs to a node in this area, and perform subsequent processing based on the determination result. In addition, the source end can also be called the active end, and the destination end can also be called the passive end.
进一步地,步骤S301′中第一设备判断目的端第二设备是否属于本区域节点,包括:Further, in step S301', the first device determines whether the second device at the destination belongs to the local node, including:
A)第一设备接收源端第二设备发送的第一消息;其中第一消息携带目的端第二设备的设备相关信息;A) The first device receives the first message sent by the second device at the source end; wherein the first message carries device-related information of the second device at the destination end;
B)根据目的端第二设备的设备相关信息判断目的端第二设备是否属于本区域节点。B) Determine whether the second device at the destination belongs to a node in this area according to the device-related information of the second device at the destination.
具体来说,目的端第二设备的相关信息可以有多种实现方式,例如可以为目的端第二设备的设备信息(地址、标识等),也可以是目的端第二设备的归属信息(为目的端第二设备提供量子密钥服务的第一设备的信息)。Specifically, the relevant information of the second device at the destination can be implemented in a variety of ways. For example, it can be the device information (address, identification, etc.) of the second device at the destination, or it can be the belonging information (for the second device at the destination). The second device at the destination provides information about the first device providing quantum key services).
在一些实施方式中,步骤S302向第二设备提供第二量子密钥和/或第二量子随机数,可以包括:In some implementations, step S302 provides the second quantum key and/or the second quantum random number to the second device, which may include:
S302′为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数。S302' provides a second quantum key and/or a second quantum random number to the source-side second device and the destination-side second device.
在实际情况中可能有以下几种情况:In actual situations, there may be the following situations:
(1)第一设备经过判断,确定目的端第二设备均归属于本域(本服务区)。这样的情况下,第一设备为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数。(1) After judgment, the first device determines that the second device at the destination belongs to this domain (this service area). In this case, the first device provides the second quantum key and/or the second quantum random number to the second source device and the second destination device.
(2)多个第二设备所在的区域只存在一个区域(服务区)。在这种情况下并没有跨区或跨域的概念。因此此时第一设备是不需要判断第二设备是否属于本域的,可不经过判断直接为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数。(2) There is only one area (service area) in the area where multiple second devices are located. There is no concept of cross-zone or cross-domain in this case. Therefore, at this time, the first device does not need to determine whether the second device belongs to the local domain, and can directly provide the second quantum key and/or the second quantum random number to the source second device and the destination second device without any judgment.
此外,在多方通信的情况下,目的端第二设备可以有多个。In addition, in the case of multi-party communication, there may be multiple destination second devices.
在一些实施方式中,为多个第二设备分发密钥的方式可以有多种情况,具体来说可以为:In some implementations, there may be many ways to distribute keys to multiple second devices, specifically:
S302a′第一设备直接为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数;S302a′ The first device directly provides the second quantum key and/or the second quantum random number to the source second device and the destination second device;
或,S302b′所述第一设备仅向部分第二设备提供第二量子密钥和/或第二量子随机数,使所述部分第二设备向参与通信的其他第二设备发送第二量子密钥和/或第二量子随机数。Or, S302b′, the first device only provides the second quantum key and/or the second quantum random number to some second devices, so that some second devices send the second quantum key to other second devices participating in the communication. key and/or second quantum random number.
其中:in:
第一种情况是说:量子密钥分发由第一设备来执行,第一设备将第二量子密钥提供给源端第二设备或目的端第二设备(其中,目的端第二设备可以为一个或多个);The first situation means that quantum key distribution is performed by the first device, and the first device provides the second quantum key to the second device at the source end or the second device at the destination end (wherein, the second device at the destination end can be one or more);
第二种情况是说:量子密钥分发由第一设备和部分第二设备来执行,第一设备先将第二量子密钥分发给部分第二设备(例如发给源端第二设备),然后再由部分第二设备向其他参与通信的第二设备转发第二量子密钥(例如源端第二设备再发给目的端设备)。The second case is that quantum key distribution is performed by the first device and some second devices. The first device first distributes the second quantum key to some second devices (for example, to the source second device). Then some of the second devices forward the second quantum key to other second devices participating in the communication (for example, the source second device sends it to the destination device).
在一些实施方式中,为多个第二设备分发的密钥可以有多种处理情况,具体来说可以为:In some implementations, keys distributed for multiple second devices may be processed in multiple situations, specifically as follows:
S302c′为第二设备提供对应的第二量子密钥和/或第二量子随机数;S302c′ provides the second device with the corresponding second quantum key and/or second quantum random number;
或,S302d′对第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,再提供加密处理后的第二量子密钥和/或第二量子随机数。Or, S302d′ separately encrypts the second quantum key and/or the second quantum random number corresponding to the second device, and then provides the encrypted second quantum key and/or the second quantum random number.
其中:in:
第一种情况是:第一设备向第二设备直接提供对应的第二量子密钥,这一种情况一般来说第一设备和第二设备之间的交互是安全的。例如,第一设 备与第二设备处于同一物理安全环境下。The first case is: the first device directly provides the corresponding second quantum key to the second device. In this case, generally speaking, the interaction between the first device and the second device is safe. For example, the first device and the second device are in the same physical security environment.
第二种情况是:各第二设备对应的第二量子密钥分别进行加密处理并发送。这种情况一般是为了确保第一设备和第二设备之间的通信安全,需要将第二量子密钥进行加密处理后再发出。The second situation is: the second quantum keys corresponding to each second device are respectively encrypted and sent. In this case, generally, in order to ensure the security of communication between the first device and the second device, the second quantum key needs to be encrypted before being sent out.
对于第二种情况,可以有多种加密处理的方式,具体来说对各第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,可以包括:For the second case, there can be a variety of encryption processing methods. Specifically, the second quantum key and/or the second quantum random number corresponding to each second device are separately encrypted, which can include:
利用第一密钥对所述第二量子密钥和/或第二量子随机数进行加密处理;其中,所述第一密钥为第一设备与各第二设备之间对称密钥;Using a first key to encrypt the second quantum key and/or the second quantum random number; wherein the first key is a symmetric key between the first device and each second device;
例如,第二设备A和第一设备之间的对称密钥为K1(对称密钥也可以称为是共享密钥),第二设备B和第一设备之间的对称密钥为K2。对于待分发的第二量子密钥Ks,第一设备可以利用K1对Ks加密,利用K2对Ks加密,再分别发送给第二设备A和第二设备B。随后第二设备A和第二设备B分别使用K1和K2对接收到的加密信息进行解密,得到第二量子密钥Ks。For example, the symmetric key between the second device A and the first device is K1 (the symmetric key may also be called a shared key), and the symmetric key between the second device B and the first device is K2. For the second quantum key Ks to be distributed, the first device can encrypt Ks using K1 and encrypt Ks using K2, and then send them to the second device A and the second device B respectively. Then the second device A and the second device B respectively use K1 and K2 to decrypt the received encrypted information to obtain the second quantum key Ks.
或者,可以利用第二设备的数字证书所对应的公钥对所述第二量子密钥和/或第二量子随机数进行加密处理。Alternatively, the second quantum key and/or the second quantum random number may be encrypted using the public key corresponding to the digital certificate of the second device.
例如,第一设备利用第二设备A数字证书对应的公钥对第二量子密钥Ks加密保护,利用第二设备B数字证书对应的公钥对第二量子密钥Ks加密保护,然后分别发送给第二设备A和第二设备B。随后第二设备A和第二设备B分别使用各自数字证书所对应的私钥,对接收到的加密信息进行解密,得到第二量子密钥Ks。For example, the first device uses the public key corresponding to the digital certificate of the second device A to encrypt and protect the second quantum key Ks, and uses the public key corresponding to the digital certificate of the second device B to encrypt and protect the second quantum key Ks, and then sends them respectively. Give the second device A and the second device B. Then the second device A and the second device B respectively use the private keys corresponding to their respective digital certificates to decrypt the received encrypted information to obtain the second quantum key Ks.
在一些实施方式中,本公开实施例提供的方法还包括:In some implementations, the method provided by the embodiment of the present disclosure further includes:
第一设备接收源端第二设备发送的第一消息;所述第一消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第一标识;The first device receives the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, key-related information, first logo;
得到第二量子密钥和/或第二量子随机数,以及第一标识;Obtain the second quantum key and/or the second quantum random number, and the first identification;
向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识。A second quantum key and/or a second quantum random number, and the first identification are provided to the second device at the source end and/or the second device at the destination end.
其中,in,
(1)在收到第一消息后,第一设备可根据第一消息中携带的内容的部分或全部得到第二量子密钥和/或第二量子随机数以及第一标识。(1) After receiving the first message, the first device can obtain the second quantum key and/or the second quantum random number and the first identification based on part or all of the content carried in the first message.
(2)这里的“得到”,可以理解为第一设备从其他处获得,例如从QKD网络处获取,也可以理解为第一设备自身生成,也可以理解为第一设备通过读取第一消息得到。(2) "Get" here can be understood as the first device obtaining it from other places, such as obtaining it from the QKD network, it can also be understood as the first device generating it by itself, or it can also be understood as the first device reading the first message. get.
(3)第一标识的生成可以由第一设备来完成,也可以由第二设备来完成,具体有以下几种情况:(3) The generation of the first identifier can be completed by the first device or by the second device. Specifically, there are the following situations:
a.第一标识由源端第二设备生成,并通过第一消息发送给第一设备,第一设备通过读取第一消息获得该第一标识;a. The first identifier is generated by the second device at the source end and sent to the first device through the first message. The first device obtains the first identifier by reading the first message;
b.第一标识由第一设备来生成,源端第二设备发送的第一消息中没有第一标识,那么第一设备将自己生成第一标识。b. The first identifier is generated by the first device. If the first message sent by the source second device does not contain the first identifier, then the first device will generate the first identifier by itself.
(4)第一标识的作用是为了将第二量子密钥与事务关联起来,这里的事务是指源端第二设备与目的端第二设备进行一次保密通信所发生的事务。例如进行加密通话、进行加密消息传输等。第一标识用于指示本次事务所要使用的第二量子密钥。具体的实现可以有很多种,例如密钥标识、事务标识、随机产生的标识、序列号、编码等。(4) The function of the first identifier is to associate the second quantum key with a transaction. The transaction here refers to a transaction that occurs during a confidential communication between the second device at the source end and the second device at the destination end. For example, make encrypted calls, carry out encrypted message transmission, etc. The first identifier is used to indicate the second quantum key to be used in this transaction. There can be many specific implementations, such as key identification, transaction identification, randomly generated identification, serial number, encoding, etc.
需要说明的是,本公开实施例中提及的第一标识可以用于指示一次事务所要使用的第二量子密钥,也可以用于指示两次及两次以上事务所要使用的第二量子密钥,在此不做具体限定。It should be noted that the first identifier mentioned in the embodiment of the present disclosure can be used to indicate the second quantum key to be used for one transaction, or can also be used to indicate the second quantum key to be used for two or more transactions. The key is not specifically limited here.
进而,所述向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识,包括以下几种中的一种:Furthermore, the provision of the second quantum key and/or the second quantum random number, and the first identification to the source second device and/or the destination second device include one of the following:
(1)向源端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使源端第二设备向目的端第二设备发送所述第一标识;(1) Provide the second quantum key and/or the second quantum random number and the first identification to the second device at the source end, so that the second device at the source end sends the first identification to the second device at the destination end;
(2)向目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使目的端第二设备向源端第二设备所述第一标识;(2) Provide the second quantum key and/or the second quantum random number and the first identification to the second device at the destination end, so that the second device at the destination end provides the first identification to the second device at the source end;
(3)向源端第二设备以及目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识。(3) Provide the second quantum key and/or the second quantum random number and the first identification to the second source device and the second destination device.
这里的第一种情况,向远端第二设备提供第二量子密钥以及第一标识,源端第二设备向目的端第二设备发送所述第一标识。目的端设备进而根据第一标识向第一设备获取第二量子密钥;第二种情况与第一种情况类似,不再赘述。In the first case, the second quantum key and the first identifier are provided to the remote second device, and the source second device sends the first identifier to the destination second device. The destination device then obtains the second quantum key from the first device according to the first identification; the second case is similar to the first case and will not be described again.
第三种情况是由第一设备直接向源端第二设备以及目的端第二设备下发第二量子密钥以及第一标识。The third situation is that the first device directly delivers the second quantum key and the first identifier to the second device at the source end and the second device at the destination end.
后续源端第二设备与目的端第二设备在进行量子保密通信时会携带第一标识,这样目的端根据第一标识就可以获知本次通信应该使用哪个第二量子密钥。Subsequently, the second device at the source end and the second device at the destination end will carry the first identifier when conducting quantum secure communication, so that the destination end can learn which second quantum key should be used for this communication based on the first identifier.
以上为目的端第二设备为本域的情况,包括本域情况下实时向QKD网络获取第一量子密钥,并为第二设备提供第二量子密钥的方式,以及本域情况下第一设备从缓存池中取出第一量子密钥,向第二设备提供第二量子密钥的方式。The above is the case where the second device at the destination is the local domain, including the method of obtaining the first quantum key from the QKD network in real time in the case of the local domain and providing the second quantum key to the second device, and the method of the first quantum key in the case of the local domain. The device retrieves the first quantum key from the cache pool and provides the second quantum key to the second device.
接下来将对目的端第二设备为跨域的情况进行详细说明,跨域情况下实时向QKD网络获取第一量子密钥,并为第二设备提供第二量子密钥的方式,以及跨域情况下第一设备从缓存池中取出第一量子密钥,向第二设备提供第二量子密钥的方式。为了能更清晰的展现跨域情况下各个设备之间的消息收发情况,请参见图6。需要说明的是,图6示出的是多种消息转发的情况融合在一起的示意图,而并非指特定某种情况下的消息收发情况。也即对于每一种情况来说,并不一定出现图6中的所有流程。其中的标号n可以对应文字中的第n消息。Next, the situation where the second device at the destination is cross-domain will be explained in detail. In the case of cross-domain, the method of obtaining the first quantum key from the QKD network in real time and providing the second quantum key to the second device, as well as the cross-domain In this case, the first device takes out the first quantum key from the buffer pool and provides the second quantum key to the second device. In order to more clearly display the message sending and receiving situation between various devices in cross-domain situations, please see Figure 6. It should be noted that FIG. 6 shows a schematic diagram of multiple message forwarding situations integrated together, and does not refer to the message sending and receiving situation in a specific situation. That is, for every situation, not all processes in Figure 6 may occur. The label n can correspond to the nth message in the text.
(一)跨域情况下实时获取密钥(1) Obtain keys in real time under cross-domain conditions
在一些实施方式中,所述第一设备从第一网络获取第一量子密钥和/或第一量子随机数,可以包括:In some implementations, the first device obtains the first quantum key and/or the first quantum random number from the first network, which may include:
S3011、第一设备接收源端第二设备发送用于请求量子密钥的第二消息;S3011. The first device receives the second message sent by the second device at the source end for requesting the quantum key;
S3012、向QKD网络中的第一KM发送第四消息;S3012. Send the fourth message to the first KM in the QKD network;
S3013、接收第一KM发送的第一量子密钥和/或第一量子随机数。S3013. Receive the first quantum key and/or the first quantum random number sent by the first KM.
其中,第二消息是源端第二设备用于向第一设备请求密钥的消息。第二消息可以与上面的第一消息相同,也可以与第一消息不同。The second message is a message used by the second source device to request the key from the first device. The second message may be the same as the first message above, or may be different from the first message.
进一步地,这里的第一量子密钥是第一KM在接收到所述第四消息后,与第二KM协商得到的。Further, the first quantum key here is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
这里的KM可以为key manager,可被称为是密钥管理器或密钥管理平台或密钥管理中心等。第一KM可以通过第十消息为QKD网络中为第一设备提供量子密钥的KM,第二KM可以通过第十一消息为QKD网络中为第三设备提供量子密钥的KM。The KM here can be key manager, which can be called a key manager or key management platform or key management center. The first KM can provide the KM with the quantum key for the first device in the QKD network through the tenth message, and the second KM can provide the KM with the quantum key for the third device in the QKD network through the eleventh message.
这里的第三设备是为目的端第二设备提供量子密钥服务的设备,与第一设备配合,为用户网络的应用层提供量子密码安全服务。第一设备与第三设备可同属于一个网络,还可同属于同一层(具体可称为量子密码(应用)服务层,或称为量子(保密)通信应用服务层,或者量子基础密钥管理层等)。The third device here is a device that provides quantum key services for the second device at the destination, and cooperates with the first device to provide quantum cryptography security services for the application layer of the user network. The first device and the third device may belong to the same network, or may belong to the same layer (specifically, it may be called the quantum cryptography (application) service layer, or the quantum (secrecy) communication application service layer, or the quantum basic key management layer, etc.).
不难理解的是,在第二KM与第一KM进行完密钥协商后,第三设备也需要获得第一KM与第二KM协商之后的第一量子密钥。获得方式可以有两种:第一种为第三设备主动向第二KM发送用于获取密钥的请求,等待第二KM在与第一KM协商后向第三设备推送的第一量子密钥;第二种为第三设备通过监听模式,等待第二KM在与第一KM协商后向第三设备推送的第一量子密钥。It is not difficult to understand that after the second KM and the first KM complete the key negotiation, the third device also needs to obtain the first quantum key after the negotiation between the first KM and the second KM. There are two ways to obtain the key: the first is for the third device to actively send a request to obtain the key to the second KM, and wait for the second KM to push the first quantum key to the third device after negotiating with the first KM. ; The second is for the third device to pass the listening mode and wait for the first quantum key pushed by the second KM to the third device after negotiating with the first KM.
在步骤S3011接收第二消息后,所述方法还包括:After receiving the second message in step S3011, the method further includes:
S3011′第一设备确定需要第一KM提供第一量子密钥,或第一设备确定当前缓存池中的第一量子密钥不能满足使用需求。S3011' The first device determines that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current cache pool cannot meet the usage requirements.
该步骤其实是第一设备在接收到第二消息之后的判断步骤,判断是用于确定是从第一KM实时获取第一量子密钥,还是在当前的缓存池中获取第一量子密钥。其判断的内容可以是“是否需要向第一KM获取第一量子密钥”,或者是“根据第二消息中携带的信息(例如业务信息、密钥信息等)和/或当前缓存池的存储情况(例如当前存储的密钥的数量是否充足、密钥的产生时间是否新鲜、密钥的长度是否能满足需求等)等,判断当前的缓存池中的第一量子密钥是否可以满足需求”。This step is actually a judgment step performed by the first device after receiving the second message. The judgment is used to determine whether to obtain the first quantum key from the first KM in real time or to obtain the first quantum key in the current cache pool. The content of the judgment may be "whether it is necessary to obtain the first quantum key from the first KM", or "based on the information carried in the second message (such as business information, key information, etc.) and/or the storage of the current cache pool situation (such as whether the number of currently stored keys is sufficient, whether the generation time of the key is fresh, whether the length of the key can meet the demand, etc.), etc., to determine whether the first quantum key in the current cache pool can meet the demand." .
当然这一判断步骤不是必然存在的,例如第一设备不存在缓存池的情况下,或第一设备就被配置为在每次接受到第二消息后需要实时向第一KM获取第一量子密钥等,在这些情况下,就不存在这一判断的步骤。Of course, this judgment step does not necessarily exist. For example, if the first device does not have a cache pool, or the first device is configured to obtain the first quantum secret from the first KM in real time each time it receives the second message. key, etc. In these cases, this step of judgment does not exist.
进一步地,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;Further, the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
相应地,所述方法还包括: Correspondingly, the method also includes:
S3011″第一设备根据所述第二消息获得第二标识,或第一设备为本次请求分配第二标识。S3011″The first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
也就是说,第二标识可以由第一设备来生成,具体来说是在接收到第二消息后,为本次请求分配第二标识;也可以由源端第二设备生成,并通过第二消息带给第一设备。That is to say, the second identification can be generated by the first device, specifically, after receiving the second message, the second identification is assigned to this request; it can also be generated by the second device at the source end and passed through the second The message is brought to the first device.
第二标识的作用是为了将第二量子密钥与保密通信事务关联起来。这里的事务是指源端第二设备与目的端第二设备进行保密通信所发生的事务。例如进行加密通话、进行加密消息传输等。第二标识用于指示保密通信事务所要使用的第二量子密钥。具体的实现可以有很多种,例如密钥标识、事务标识、随机产生的标识、序列号、编码等。The function of the second identification is to associate the second quantum key with the secure communication transaction. The transaction here refers to the transaction that occurs during confidential communication between the second device at the source end and the second device at the destination end. For example, make encrypted calls, carry out encrypted message transmission, etc. The second identification is used to indicate the second quantum key to be used for the secure communication transaction. There can be many specific implementations, such as key identification, transaction identification, randomly generated identification, serial number, encoding, etc.
需要说明的是,本公开实施例中提及的第二标识可以用于指示一次保密通信事务所要使用的第二量子密钥,也可以用于指示两次及两次以上保密通信事务所要使用的第二量子密钥,在此不做具体限定。It should be noted that the second identifier mentioned in the embodiment of the present disclosure can be used to indicate the second quantum key to be used for one secure communication transaction, or can also be used to indicate the second quantum key to be used for two or more secure communication transactions. The second quantum key is not specifically limited here.
进而,步骤S302中向第二设备提供第二量子密钥和/或第二量子随机数,包括:向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。Furthermore, providing the second quantum key and/or the second quantum random number to the second device in step S302 includes: providing the second quantum key and/or the second quantum random number to the source second device, and said Second identification.
具体来说,当第二标识由第一设备来生成时,源端第二设备也需要获知第二标识,进而能够获知本次事务所要使用的是哪个第二量子密钥。因此第一设备在向源端第二设备提供量子第二量子密钥时,也需要提供第二标识,也即图6中的第九消息在提供第二量子密钥的同时也提供第二标识。Specifically, when the second identifier is generated by the first device, the second source device also needs to know the second identifier, so that it can know which second quantum key is to be used for this transaction. Therefore, when the first device provides the second quantum key to the second device at the source end, it also needs to provide the second identity. That is, the ninth message in Figure 6 provides the second identity while providing the second quantum key. .
当第二标识是由源端第二设备生成时,第二设备通过第九消息向源端第二设备提供第二量子密钥时,也需要提供该第二标识,以供源端第二设备获知在进行该第二标识对应的事务时,需要使用与该第二标识一起推送的第二量子密钥。When the second identifier is generated by the second source device, and the second device provides the second quantum key to the source second device through the ninth message, the second identifier also needs to be provided to the source second device. It is learned that when performing a transaction corresponding to the second identification, the second quantum key pushed together with the second identification needs to be used.
此外,所述方法还包括:In addition, the method also includes:
向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。Send a third message to a third device that provides a quantum key service for the second device at the destination.
其中,第三消息可以实现多种作用,例如可以用于通知/指示第三设备要为目的端第二设备提供量子密钥服务等。发送第三消息和发送第四消息没有必然的时间先后顺序。 The third message can achieve a variety of functions, for example, it can be used to notify/instruct the third device to provide quantum key services for the second device at the destination, etc. There is no necessary time sequence for sending the third message and sending the fourth message.
进一步地,所述第三消息中可以携带所述第二标识。Further, the third message may carry the second identifier.
相应的,所述第三消息可以用于:Correspondingly, the third message can be used for:
使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
也就是说,对于第三设备来说,上述两种情况都是为了让目的端第二设备获知在进行第二标识对应的事务时需要使用哪个第二量子密钥,其作用是为了让源端第二设备和目的端第二设备同步使用相同的密钥进行保密通信。That is to say, for the third device, the above two situations are to let the second device at the destination know which second quantum key needs to be used when performing the transaction corresponding to the second identification. Its function is to let the source end The second device and the second device at the destination synchronize and use the same key to perform secure communication.
(二)跨域情况下实时获取密钥(2) Obtain keys in real time under cross-domain conditions
在一些实施方式中,本公开实施例提供的方法还包括:In some implementations, the method provided by the embodiment of the present disclosure further includes:
S301a、第一设备接收源端第二设备发送用于请求量子密钥的第二消息;S301a. The first device receives a second message sent by the second device at the source end for requesting a quantum key;
S301b、从缓存池中获取第一量子密钥和/或第一量子随机数。S301b. Obtain the first quantum key and/or the first quantum random number from the buffer pool.
其中,这里的缓存池是通过如下方式获得的:Among them, the cache pool here is obtained in the following ways:
第一设备将从第一网络处获取的第一量子密钥和/或第一量子随机数存储,得到所述缓存池;其中,所述缓存池中的第一量子密钥,是QKD网络中的第一KM与第二KM协商得到的。The first device stores the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool; wherein the first quantum key in the cache pool is the first quantum key in the QKD network. obtained through negotiation between the first KM and the second KM.
此外,在一些实施方式中,本公开实施例提供的方法还包括:第一设备确定从缓存池中获取第一量子密钥。In addition, in some implementations, the method provided by the embodiment of the present disclosure also includes: the first device determines to obtain the first quantum key from the cache pool.
这里想说的是第一设备的判断流程,也即需要判断一下是通过实时的方式还是从缓存池中获取的方式来获取第一量子密钥。同样地,这一判断步骤也不是必须的,例如第一设备被配置为不需要进行判断,直接从缓存池中获取第一量子密钥。What I want to talk about here is the judgment process of the first device, that is, it needs to be judged whether to obtain the first quantum key in real time or from the cache pool. Likewise, this judgment step is not necessary. For example, the first device is configured to directly obtain the first quantum key from the buffer pool without making judgment.
进一步地,步骤S301a中的第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;Further, the second message in step S301a carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
相应地,所述方法还包括:Correspondingly, the method also includes:
第一设备根据所述第二消息获得第二标识,或第一设备为本次密钥服务分配第二标识。 The first device obtains the second identity according to the second message, or the first device allocates the second identity for this key service.
进而,步骤S302向第二设备提供第二量子密钥和/或第二量子随机数,包括:Furthermore, step S302 provides the second quantum key and/or the second quantum random number to the second device, including:
向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。Provide a second quantum key and/or a second quantum random number, and the second identification to the second device at the source end.
此外,本公开实施例提供的方法还包括:In addition, the method provided by the embodiment of the present disclosure also includes:
向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。Send a third message to a third device that provides a quantum key service for the second device at the destination.
其中,这里发送第三消息和获取第一量子密钥之间没有必然的时间先后顺序。Among them, there is no necessary time sequence between sending the third message and obtaining the first quantum key.
进一步地,这里的第三消息中可以携带所述第二标识。Further, the third message here may carry the second identifier.
进而第三消息用于:Then the third message is used for:
使得第三设备通过第八消息在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identity while providing the second quantum key and/or the second quantum random number to the destination second device through the eighth message;
或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
此外,第三消息中还可以携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。In addition, the third message may also carry a third identifier, where the third identifier is used to identify the first quantum key and/or the first quantum random number.
进而第三标识用于:Then the third identifier is used for:
使得第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。The third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
可以理解的是,第三设备与第一设备相同,在收到第二KM发送的第一量子密钥后,也会将所述第一量子密钥进行存储,形成缓存池。这里的第一量子密钥是第一KM和第二KM协商好的第一量子密钥。第一KM和第二KM在向第一设备和第三设备推送第一量子密钥的同时,也会将第一量子密钥所对应的第三标识一并推送。在第一设备向第三设备发送第三标识后,第三设备就可以根据第三标识从缓存池中选取对应的第一量子密钥,以实现密钥同步。It can be understood that, like the first device, the third device will also store the first quantum key after receiving the first quantum key sent by the second KM to form a cache pool. The first quantum key here is the first quantum key negotiated by the first KM and the second KM. While pushing the first quantum key to the first device and the third device, the first KM and the second KM will also push the third identifier corresponding to the first quantum key. After the first device sends the third identification to the third device, the third device can select the corresponding first quantum key from the cache pool according to the third identification to achieve key synchronization.
在一些实施方式中,本公开实施例提供的方法还包括:In some implementations, the method provided by the embodiment of the present disclosure further includes:
接收第三设备发送的第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。Receive a third identification sent by a third device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
具体来说,第三标识是用于标识第一量子密钥的,第三标识的主要目的是为了让第一设备与第三设备同步从缓存池中取密钥的情况,也即通过第三标识,第一设备和第三设备可以获知对端取出的是哪个第一量子密钥。这里有两种可能的情况,第一种如前所述,具体为第一设备确定取出的第一量子密钥的第三标识,并在第三消息中携带上第三标识,以告知第三设备要选取第三标识对应的密钥;第二种为第一设备发送第三消息,第三消息可以为通知第三设备要从缓存池中取出密钥,或通知第三设备需要向目的端第二设备推送密钥,这时由第三设备来确定取出的第一量子密钥的第三标识,也即第三设备来决定从缓存池中选哪个密钥,并将第三标识返回给第一设备,用于告知第一设备密钥的选择情况,以使得第一设备和第三设备能够对于提取密钥的情况进行同步。Specifically, the third identifier is used to identify the first quantum key. The main purpose of the third identifier is to synchronize the first device and the third device to obtain the key from the cache pool, that is, through the third device. identification, the first device and the third device can learn which first quantum key the other end has taken out. There are two possible situations here. The first one is as mentioned above. Specifically, the first device determines the third identifier of the first quantum key taken out, and carries the third identifier in the third message to inform the third party. The device needs to select the key corresponding to the third identifier; the second method is for the first device to send a third message. The third message can be to notify the third device to retrieve the key from the cache pool, or to notify the third device that it needs to send the key to the destination. The second device pushes the key. At this time, the third device determines the third identifier of the retrieved first quantum key. That is, the third device determines which key to select from the cache pool and returns the third identifier to the third device. A device used to inform the first device of the selection of the key, so that the first device and the third device can synchronize the extraction of the key.
在一些实施方式中,步骤S302向第二设备提供第二量子密钥和/或第二量子随机数,包括:In some implementations, step S302 provides the second quantum key and/or the second quantum random number to the second device, including:
向第二设备提供第二量子密钥和/或第二量子随机数,所述第二量子密钥和/或第二量子随机数用于被第二设备使用进行安全应用。A second quantum key and/or a second quantum random number are provided to the second device for use by the second device for security applications.
其中,这里的安全应用可以为保密通信、安全认证、加密存储等各类应用。Among them, the security applications here can be various applications such as confidential communication, security authentication, and encrypted storage.
进一步地,这里的第二量子密钥和/或第二量子随机数用于作为会话密钥、密钥保护密钥、根密钥、主密钥、加密存储密钥、认证密钥,被第二设备所使用。也即第二量子密钥的作用由第二设备根据具体的安全应用形态来决定。第一设备仅负责提供第二量子密钥。Further, the second quantum key and/or the second quantum random number here are used as a session key, a key protection key, a root key, a master key, an encryption storage key, and an authentication key. Two devices are used. That is to say, the role of the second quantum key is determined by the second device according to the specific security application form. The first device is only responsible for providing the second quantum key.
在一些实施方式中,步骤S302向第二设备提供第二量子密钥和/或第二量子随机数,包括以下情况中的至少一种:In some implementations, step S302 provides a second quantum key and/or a second quantum random number to the second device, including at least one of the following situations:
向第二设备在线发送第二量子密钥和/或第二量子随机数;Send the second quantum key and/or the second quantum random number to the second device online;
向第二设备离线灌装第二量子密钥和/或第二量子随机数;Offline filling of the second quantum key and/or the second quantum random number into the second device;
通过有线的方式向第二设备提供第二量子密钥和/或第二量子随机数;Provide the second quantum key and/or the second quantum random number to the second device in a wired manner;
通过无线的方式向第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device in a wireless manner.
本公开实施例还提供了一种量子保密通信方法,如图7所示,包括; The embodiment of the present disclosure also provides a quantum secure communication method, as shown in Figure 7, including;
S701、接收QKD网络中的第二KM发送的第一量子密钥和/或第量子随机数,或从缓存池中获取第一量子密钥和/或第一量子随机数;S701. Receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or obtain the first quantum key and/or the first quantum random number from the cache pool;
S702、向目的端第二设备提供第二量子密钥和/或第二量子随机数。S702. Provide the second quantum key and/or the second quantum random number to the second device at the destination.
在一些实施方式中,步骤S701中接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数,包括:In some embodiments, receiving the first quantum key and/or the first quantum random number sent by the second KM in the QKD network in step S701 includes:
S701a、向QKD网络中的第二KM发送第七消息,接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数;S701a. Send the seventh message to the second KM in the QKD network, and receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network;
或,S701b、通过监听模式等待QKD网络中的第二KM通过第十一消息发送第一量子密钥和/或第一量子随机数。Or, S701b, wait in the listening mode for the second KM in the QKD network to send the first quantum key and/or the first quantum random number through the eleventh message.
在一些实施方式中,本公开实施例提供的方法还包括:接收为源端第二设备提供量子密钥服务的第一设备发送的第三消息。进一步地,第三消息中还可以携带有第三标识,第三标识用于标识第一量子密钥和/或第一量子随机数。进一步地,所述方法还包括:第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。此种情况为第一设备确定第三标识的情况。In some implementations, the method provided by the embodiment of the present disclosure further includes: receiving a third message sent by a first device that provides a quantum key service for a second source device. Further, the third message may also carry a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number. Further, the method further includes: the third device obtains the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification. This situation is a situation where the first device determines the third identifier.
在一些实施方式中,本公开实施例提供的方法还包括:在接收到所述第三消息后,向第一设备发送第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。此种情况为第三设备确定第三标识的情况,第三设备确定后还会通过第十二消息将该第三标识发送给第一设备。In some implementations, the method provided by the embodiment of the present disclosure further includes: after receiving the third message, sending a third identification to the first device, the third identification being used to identify the first quantum key and/or Or the first quantum random number. In this case, the third device determines the third identifier. After the third device determines, it will also send the third identifier to the first device through the twelfth message.
在一些实施方式中,步骤S302中向目的端第二设备提供第二量子密钥和/或第二量子随机数,包括:In some embodiments, providing the second quantum key and/or the second quantum random number to the destination second device in step S302 includes:
通过第八消息主动向目的端第二设备提供第二量子密钥和/或第二量子随机数;Actively provide the second quantum key and/or the second quantum random number to the destination second device through the eighth message;
或,在接收到目的端第二设备发送的第五消息后,向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, after receiving the fifth message sent by the second device at the destination, provide the second quantum key and/or the second quantum random number to the second device at the destination.
在一些实施方式中,第三消息中可以携带第二标识。In some implementations, the third message may carry the second identifier.
进一步地,步骤S302中向目的端第二设备提供第二量子密钥和/或第二量子随机数,包括:Further, in step S302, providing the second quantum key and/or the second quantum random number to the second device at the destination includes:
第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;The third device provides the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when receiving the fifth message carrying the second identifier sent by the second device at the destination, the third device provides the second quantum key and/or the second quantum key at the destination according to the second identifier. Second quantum random number.
其中,目的端第二设备是通过源端第二设备发送的第六消息得到第二标识的。如前所述,第二标识可以是源端第二设备分配的,也可以是第一设备分配后告知源端第二设备的。在源端第二设备获知了第二标识后,将第二标识通过第六消息发送给目的端第二设备,以供目的端第二设备根据第二标识从第三设备处获得用于本次事务的量子密钥(可以根据第二标识主动获取,也可以被动等待第三设备推送,并根据推送消息中的第二标识判断本次事务所使用的第二量子密钥)。Wherein, the second device at the destination obtains the second identification through the sixth message sent by the second device at the source. As mentioned above, the second identifier may be assigned by the second source device, or may be notified by the first device to the source second device after being assigned. After the second device at the source side learns the second identity, the second identity is sent to the second device at the destination end through the sixth message, so that the second device at the destination end can obtain it from the third device according to the second identity for this time. The quantum key of the transaction (you can actively obtain it based on the second identifier, or you can passively wait for the push from the third device, and determine the second quantum key used in this transaction based on the second identifier in the push message).
为了更为清楚的描述本公开所提供的方法,下面以举例的方式对于方法的整体流程进行说明。In order to describe the method provided by the present disclosure more clearly, the overall process of the method is described below by way of example.
当上层用户有业务需要发起通信时,量子密码服务中心根据通信双方所属的服务区域来确定为其提供量子密码服务的方式,即是本地服务,还是跨区域服务。对于属于同一服务区域内发生通信的两个业务应用(例如,图5中量子密码应用设备A与B),量子密码服务中心为其提供本地服务。它无需调用底层QKD网络的量子密钥协商能力,仅通过Ak接口获取本地QKD网络节点设备产生的或者本地量子随机数发生器产生的量子随机数,进而产生对称的量子密钥并向上层提供,从而满足两通信业务的密码应用需求。对于属于不同服务区的两个业务应用(例如,图5中量子密码应用设备A与C),量子密码服务中心为其提供跨区域服务。此时,它需要与对端提供服务的量子密码服务中心交互并通过量子QKD网络协商获取对称的量子密钥,并向两业务应用提供。When an upper-layer user has a business need to initiate communication, the quantum cryptography service center determines how to provide quantum cryptography services based on the service areas to which both communicating parties belong, that is, whether it is a local service or a cross-region service. For two business applications that communicate within the same service area (for example, quantum cryptography application equipment A and B in Figure 5), the quantum cryptography service center provides local services. It does not need to call the quantum key negotiation capability of the underlying QKD network, but only obtains the quantum random number generated by the local QKD network node device or the local quantum random number generator through the Ak interface, and then generates a symmetric quantum key and provides it to the upper layer. Thereby meeting the cryptographic application requirements of the two communication services. For two business applications belonging to different service areas (for example, quantum cryptography application equipment A and C in Figure 5), the quantum cryptography service center provides cross-regional services. At this time, it needs to interact with the quantum cryptography service center that provides services at the opposite end and obtain the symmetric quantum key through quantum QKD network negotiation, and provide it to the two business applications.
图8给出了归属于同一区域,从同一量子密码服务中心A处获取服务的两量子密码应用设备A与B实现量子保密通信的处理流程。这里,量子密码应用设备只是为了说明方便而选取的一种示例,它可指代用户层的任意一种网络设备或者业务应用。以下流程类似,就此不再赘述。Figure 8 shows the process flow of two quantum cryptography application devices A and B that belong to the same area and obtain services from the same quantum cryptography service center A to achieve quantum confidential communication. Here, the quantum cryptography application device is just an example chosen for convenience of explanation, and it can refer to any network device or business application at the user level. The following processes are similar and will not be described again.
1.当量子密码应用设备A与B需要基于量子密钥进行保密通信时,A向B发送量子保密通信请求消息。消息中,可携带为设备A提供量子密码服务的归属服务中心标识以及安全相关信息。安全相关信息用于完成量子通信加密协商,可以包括量子密钥相关信息(如,密钥量、密钥获取方式等),加密相关信息(如,加密方式(如,加密(如,流加密,分组加密等)、完整性保护等)、加密算法等)。1. When quantum cryptography application devices A and B need to communicate securely based on quantum keys, A sends a quantum secure communication request message to B. The message can carry the identification of the home service center that provides quantum cryptography services for device A and security-related information. Security-related information is used to complete quantum communication encryption negotiations, and can include quantum key-related information (such as key amount, key acquisition method, etc.), encryption-related information (such as encryption method (such as encryption (such as stream encryption, etc.), Block encryption, etc.), integrity protection, etc.), encryption algorithms, etc.).
2.量子密码应用设备B向A返回量子保密通信响应消息,其中可携带设备B的归属量子密码服务中心标识以及B确认的安全相关信息。2. Quantum cryptography application device B returns a quantum confidential communication response message to A, which can carry the quantum cryptography service center identification of device B and the security-related information confirmed by B.
步骤1~2是A与B的量子保密通信建立过程,这里仅为示意性说明,在不同的应用中此建立过程将有所不同。它可能是业务请求与响应消息的一次交互,也可能是一系列协议消息的交互。例如,在量子加密电话业务中,该过程是完成呼叫请求与呼叫响应消息的交互,消息中可携带保密通信标识用于指明业务的安全属性;在基于IPSec协议的保密通信业务中,该过程包括两个阶段的消息交互,基于IPSec协议在通信双方设备之间完成身份鉴别及量子加密服务协商;等等。Steps 1 to 2 are the establishment process of quantum secure communication between A and B. This is only a schematic explanation. This establishment process will be different in different applications. It may be an interaction between a business request and a response message, or it may be an interaction between a series of protocol messages. For example, in the quantum encrypted telephone service, the process is to complete the interaction of the call request and the call response message. The message can carry a confidential communication identifier to indicate the security attribute of the service; in the confidential communication service based on the IPSec protocol, the process includes Two stages of message interaction, based on the IPSec protocol, complete identity authentication and quantum encryption service negotiation between the communicating devices; and so on.
3.量子密码应用设备A通过As接口向其归属的量子密码服务中心A发送密钥请求,其中携带通信的源端和目的端的标识/地址A和B,业务相关信息及密钥相关信息等。业务相关信息用于说明本次量子保密通信的业务标识、类型及属性等,用于对上层多样化的业务进行区分。例如,数据类业务、语音类业务、电子邮件类业务、流媒体业务、消息类业务等等。密钥相关消息用于说明量子密码应用设备A与B对于量子密钥的需求,例如,密钥量、密钥服务质量(Quality of Service,QoS)需求(密钥传输速率、提供时间要求等)、传输模式(如,请求式、推送式等)等。该请求消息还可携带目的端归属量子密码服务中心的标识,用于确定量子密码应用量子密码应用设备B所归属的服务区域。3. Quantum cryptography application device A sends a key request to its home quantum cryptography service center A through the As interface, which carries the identification/addresses A and B of the source and destination of the communication, business-related information and key-related information, etc. Business-related information is used to describe the business identifier, type and attributes of this quantum secure communication, and is used to distinguish the diversified services at the upper level. For example, data services, voice services, email services, streaming media services, messaging services, etc. Key-related messages are used to describe the requirements of quantum cryptography application equipment A and B for quantum keys, such as key quantity, key quality of service (QoS) requirements (key transmission rate, provision time requirements, etc.) , transmission mode (such as request, push, etc.), etc. The request message may also carry the identifier of the quantum cryptography service center to which the destination belongs, which is used to determine the service area to which quantum cryptography application device B belongs.
4.接收到密钥请求后,量子密码服务中心A根据目的端设备B的标识/地址信息,或者携带的目的端归属量子密码服务中心标识信息A,判断目的端是否为本服务中心负责区域内的业务节点?若是,则转入步骤5;否则,转入跨区域量子保密通信处理流程(见图9)。4. After receiving the key request, quantum cryptography service center A determines whether the destination is within the area responsible for this service center based on the identification/address information of the destination device B, or the identification information A of the quantum cryptography service center that the destination belongs to. business node? If so, go to step 5; otherwise, go to the cross-region quantum secure communication processing flow (see Figure 9).
5.量子密码服务中心A在本地获取量子随机数,并为本次会话生成事务标识(Transaction ID,TID)及量子密钥K。量子随机数可以通过调用量子密码服务中心A本地部署的量子随机数发生器获取,也可以通过Ak接口从本区域的QKD网络设备节点获取。事务标识TID与量子密钥K对应,用于标识本次会话对应的量子对称密钥,量子密钥基于获取到的量子随机数生成。量子密钥K应符合业务的使用需要。5. Quantum cryptography service center A obtains quantum random numbers locally and generates a transaction identifier (Transaction ID, TID) and quantum key K for this session. The quantum random number can be obtained by calling the quantum random number generator deployed locally in the quantum cryptography service center A, or it can be obtained from the QKD network device node in the local area through the Ak interface. The transaction identifier TID corresponds to the quantum key K and is used to identify the quantum symmetric key corresponding to this session. The quantum key is generated based on the obtained quantum random number. The quantum key K should meet the needs of the business.
6.向量子密码应用设备A返回密钥响应消息,其中携带事务标识TID及量子密钥K,可选携带密钥相关信息等内容。密钥相关信息可包含系统自定义的参数内容,例如,密钥的生成时间、密钥生存期等信息。6. Return a key response message to quantum cryptography application device A, which carries the transaction identifier TID and quantum key K, and optionally carries key-related information and other content. Key-related information may include system-customized parameter content, such as key generation time, key lifetime, and other information.
7.量子密码应用设备A向B发送密钥通知消息,其中携带事务标识TID,用于通知对端获取已生成的量子密钥K。7. Quantum cryptography application device A sends a key notification message to B, which carries the transaction identifier TID, which is used to notify the peer to obtain the generated quantum key K.
8.量子密码应用设备B向其归属的量子密码服务中心A发送密钥请求,其中携带事务标识TID,并可携带通信的源端和目的端的标识/地址A和B。8. Quantum cryptography application device B sends a key request to its home quantum cryptography service center A, which carries the transaction identifier TID and can carry the identities/addresses A and B of the source and destination of the communication.
9.基于事务标识TID信息,量子密码服务中心A查找相对应的量子密钥K,并通过密钥响应消息反馈给量子密码应用设备B。消息中还可携带密钥相关信息,用于提供系统自定义的参数内容,例如,密钥的生成时间、密钥生存期等信息。9. Based on the transaction identification TID information, the quantum cryptography service center A searches for the corresponding quantum key K and feeds it back to the quantum cryptography application device B through the key response message. The message can also carry key-related information to provide system-customized parameter content, such as key generation time, key lifetime, and other information.
10.接收到密钥响应之后,量子密码应用设备B向A返回密钥应答消息,告知对端本次通信会话将使用的量子对称密钥K已获取成功。10. After receiving the key response, quantum cryptography application device B returns a key response message to A, informing the peer that the quantum symmetric key K to be used in this communication session has been successfully obtained.
11.基于获取到的量子密钥K,量子密码应用设备A和B可以开始量子保密通信。11. Based on the obtained quantum key K, quantum cryptography application equipment A and B can start quantum secure communication.
上述过程中,事务标识TID只是实现密钥通知及获取的一种方式,实际系统实现时还可采取其他方式实现。例如量子密码服务中心A可生成令牌(token)或票据(Ticket),并通过量子密码应用设备A交付给设备B。凭借token或Ticket,设备B可从服务中心A获取与之对应的量子密钥K,从而与设备A进行安全通信。为了确保这些消息的安全性,量子密码服务中心在签发TID、token或Ticket时,可对信息的关键内容进行完整性和/或签名保护并增加时间戳,确保该信息不会被攻击者伪造、篡改、重放。以下流程类似,就此不再赘述。In the above process, the transaction identifier TID is only one way to realize key notification and acquisition. Other ways can be used in actual system implementation. For example, quantum cryptography service center A can generate a token or ticket and deliver it to device B through quantum cryptography application device A. With the token or ticket, device B can obtain the corresponding quantum key K from service center A to communicate securely with device A. In order to ensure the security of these messages, when issuing TID, token or ticket, the quantum cryptography service center can protect the integrity and/or signature of the key content of the information and add a timestamp to ensure that the information will not be forged by attackers. Tampering, replaying. The following processes are similar and will not be described again.
图9给出了归属于不同区域,从不同的量子密码服务中心A和B处获取服务的两量子密码应用设备A与C实现量子保密通信的处理流程,采用通过量子QKD网络实时协商密钥的方式实现。Figure 9 shows the process flow of two quantum cryptography application devices A and C, which belong to different areas and obtain services from different quantum cryptography service centers A and B, to achieve quantum confidential communication. They adopt the method of real-time key negotiation through the quantum QKD network. way to achieve.
步骤1~2为量子保密通信建立过程,与图8类似,重复之处不再赘述。这里,量子密码应用设备C向A返回量子保密通信响应消息中,可携带的归属量子密码服务中心标识为B,与量子密码应用设备A的不同。Steps 1 to 2 are the establishment process of quantum secure communication, which is similar to Figure 8 and will not be repeated here. Here, in the quantum secure communication response message returned by quantum cryptography application device C to A, the portable identification of the home quantum cryptography service center is B, which is different from that of quantum cryptography application device A.
3.量子密码应用设备A通过As接口向其归属的量子密码服务中心A发送密钥请求,其中携带通信的源端和目的端的标识/地址A和C,业务相关信息及密钥相关信息等。业务相关信息用于说明本次量子保密通信的业务标识、类型及属性等,用于对上层多样化的业务进行区分。例如,数据类业务、语音类业务、电子邮件类业务、流媒体业务、消息类业务等等。密钥相关消息用于说明量子密码应用设备A与C对于量子密钥的需求,例如,密钥量、密钥QoS需求(密钥传输速率、提供时间要求等)、传输模式(如,请求式、推送式等)等。该请求消息还可携带目的端归属量子密码服务中心的标识,用于确定量子密码应用设备C所归属的服务区域。3. Quantum cryptography application device A sends a key request to its home quantum cryptography service center A through the As interface, which carries the identification/addresses A and C of the source and destination of the communication, business-related information and key-related information, etc. Business-related information is used to describe the business identifier, type and attributes of this quantum secure communication, and is used to distinguish the diversified services at the upper level. For example, data services, voice services, email services, streaming media services, messaging services, etc. Key-related messages are used to describe the requirements of quantum cryptography application devices A and C for quantum keys, such as key amount, key QoS requirements (key transmission rate, provision time requirements, etc.), transmission mode (e.g., on-demand , push type, etc.) etc. The request message may also carry the identification of the quantum cryptography service center to which the destination belongs, which is used to determine the service area to which the quantum cryptography application device C belongs.
4.接收到密钥请求后,量子密码服务中心A根据目的端量子密码应用设备C的标识/地址信息,或者携带的目的端归属量子密码服务中心标识信息B,判断目的端是否为本服务中心负责区域内的业务节点?若是,则转入本地量子保密通信处理流程(见图8);否则,转入步骤5。4. After receiving the key request, quantum cryptography service center A determines whether the destination is this service center based on the identification/address information of the destination quantum cryptography application device C, or the identification information B of the destination quantum cryptography service center it carries. Responsible for the business nodes in the region? If so, go to the local quantum secure communication processing flow (see Figure 8); otherwise, go to step 5.
5.量子密码服务中心A为本次量子保密通信的密码请求生成事务标识TID,确定目的端归属量子密码服务中心并向其发送量子密码业务请求消息。其中,携带源端和目的端量子密码应用设备的标识/地址A和C、事务标识TID、业务相关信息、量子密钥相关信息、QKD服务节点信息等。事务标识TID用于将本次量子保密通信业务与为本次业务的量子密钥关联起来,以便两端量子密码服务中心对用户应用及量子密码业务进行索引及管理。业务相关信息用于说明本次量子保密通信的业务标识、类型及属性等。密钥相关消息用于说明本次量子保密通信对于量子密钥的需求。此外,还可携带QKD服务节点信息,用于告知对端为本端提供服务的量子QKD网络密钥管理设备标识/地址,以便对端访问。5. Quantum cryptography service center A generates a transaction identifier TID for the cryptographic request of this quantum confidential communication, determines that the destination belongs to the quantum cryptography service center, and sends a quantum cryptography service request message to it. Among them, it carries the identification/address A and C of the source and destination quantum cryptography application equipment, transaction identification TID, business-related information, quantum key-related information, QKD service node information, etc. The transaction identifier TID is used to associate this quantum secure communication service with the quantum key for this service, so that the quantum cryptography service centers at both ends can index and manage user applications and quantum cryptography services. Business-related information is used to describe the business identifier, type and attributes of this quantum secure communication. Key-related messages are used to explain the need for quantum keys in this quantum secure communication. In addition, it can also carry QKD service node information, which is used to inform the opposite end of the quantum QKD network key management device identification/address that provides services for the local end, so that the opposite end can access it.
6.量子密码服务中心B返回量子密码业务响应消息进行确认。消息中包括事务标识TID以及QKD服务节点信息。QKD服务节点信息,用于告知对端为本端提供服务的量子QKD网络密钥管理设备标识/地址,以便对端访问。6. Quantum cryptography service center B returns the quantum cryptography service response message for confirmation. The message includes the transaction identifier TID and QKD service node information. QKD service node information is used to inform the peer of the quantum QKD network key management device ID/address that provides services to the peer for access by the peer.
7.量子密码服务中心A通过Ak接口向本端量子QKD网络密钥管理设备A发送QKD密钥请求,通过底层量子QKD网络与对端协商获取量子密钥。请求中包括目的端量子密码服务中心/量子QKD网络密钥管理设备标识、量子密钥相关信息等。标识信息用于明确为目的端量子密码服务中心B提供服务的底层QKD网络密钥管理设备,以便访问。量子密钥相关信息用于本次密码业务对于量子密钥的需求。7. Quantum cryptography service center A sends a QKD key request to the local quantum QKD network key management device A through the Ak interface, and negotiates with the peer through the underlying quantum QKD network to obtain the quantum key. The request includes the destination quantum cryptography service center/quantum QKD network key management device identification, quantum key related information, etc. The identification information is used to identify the underlying QKD network key management equipment that provides services to the destination quantum cryptography service center B for easy access. Information related to quantum keys is used to meet the demand for quantum keys in this cryptographic business.
8.量子QKD网络密钥管理设备A与B调用QKD网络量子层能力开始密钥协商。8. Quantum QKD network key management devices A and B call the QKD network quantum layer capabilities to start key negotiation.
9a/b.量子密钥协商成功后,QKD网络密钥管理设备通过Ak接口将生成的量子密钥K及量子密钥相关信息提供给量子密码服务中心。9a/b. After the quantum key negotiation is successful, the QKD network key management equipment provides the generated quantum key K and quantum key related information to the quantum cryptography service center through the Ak interface.
步骤7~9的操作采用不同的密钥协商方式(如,请求式、推送式等)实际将有不同的操作处理。这里出于流程完整性的考虑给出了操作处理过程的大致示意,仅供参考。The operations in steps 7 to 9 will actually require different operations if different key negotiation methods (such as request type, push type, etc.) are used. For the sake of completeness of the process, a rough outline of the operation process is given here for reference only.
10.协商成功后,量子密码服务中心A向量子密码应用设备A返回密钥响应消息,其中携带事务标识TID及量子密钥K,可选携带密钥相关信息等内容。密钥相关信息可包含系统自定义的参数内容,例如,密钥的生成时间、密钥生存期等信息。10. After the negotiation is successful, quantum cryptography service center A returns a key response message to quantum cryptography application device A, which carries the transaction identifier TID and quantum key K, and optionally carries key-related information and other content. Key-related information may include system-customized parameter content, such as key generation time, key lifetime, and other information.
11.量子密码应用设备A向C发送密钥通知消息,其中携带事务标识TID,用于通知对端获取已协商的量子密钥K。11. Quantum cryptography application device A sends a key notification message to C, which carries the transaction identifier TID, which is used to notify the peer to obtain the negotiated quantum key K.
12.量子密码应用设备C向其归属的量子密码服务中心B发送密钥请求,其中携带事务标识TID,并可携带通信的源端和目的端的标识/地址A和C。12. Quantum cryptography application device C sends a key request to its home quantum cryptography service center B, which carries the transaction identifier TID and can carry the identities/addresses A and C of the source and destination of the communication.
13.基于事务标识TID信息,量子密码服务中心B查找相对应的量子密钥K,并通过密钥响应消息反馈给量子密码应用设备C。消息中还可携带密钥相关信息,用于提供系统自定义的参数内容,例如,密钥的生成时间、密钥生存期等信息。13. Based on the transaction identification TID information, the quantum cryptography service center B searches for the corresponding quantum key K and feeds it back to the quantum cryptography application device C through the key response message. The message can also carry key-related information to provide system-customized parameter content, such as key generation time, key lifetime, and other information.
14.接收到密钥响应之后,量子密码应用设备C向A返回密钥应答消息,告知对端本次通信会话将使用的量子对称密钥K已获取成功。 14. After receiving the key response, the quantum cryptography application device C returns a key response message to A, informing the peer that the quantum symmetric key K to be used in this communication session has been successfully obtained.
15.基于获取到的量子密钥K,量子密码应用设备A和C可以开始量子保密通信。15. Based on the obtained quantum key K, quantum cryptography application equipment A and C can start quantum secure communication.
由于底层量子QKD网络密钥协商的速率有限,对于跨区域的量子保密通信业务,量子密码服务中心根据上层应用的业务类型或需求来确定量子密码的服务方式。对于安全性要求高或者量子密钥需求持续时间长,使用量稳定,但平均用量较小(QKD网络性能可满足使用需求)的业务(如,数据异地灾备、加密电话、加密视频等等),量子密码服务中心在接收到请求时,可通过QKD网络实时协商的方式为其提供量子密钥(如图9)。对于易产生突发或并发的业务(例如,安全接入、互联网数据传输等等),QKD实时协商的方式可能无法满足及时性及大并发的密码应用需求,因此量子密码服务中心可通过建立量子密钥缓存池,预先协商并存储一定的量子密钥来满足此类业务的需要(如图10)。在业务闲时,量子密码服务中心可调用QKD网络能力与其他各量子密码服务中心协商生成量子对称密钥,做好标记,缓存待用。Since the key negotiation rate of the underlying quantum QKD network is limited, for cross-regional quantum confidential communication services, the quantum cryptography service center determines the quantum cryptography service method based on the business type or needs of the upper-layer application. For businesses with high security requirements or long-lasting quantum key requirements, stable usage, but small average usage (QKD network performance can meet usage requirements) (such as data off-site disaster recovery, encrypted phone calls, encrypted videos, etc.) , when the quantum cryptography service center receives a request, it can provide it with a quantum key through real-time negotiation on the QKD network (Figure 9). For businesses that are prone to bursts or concurrency (for example, secure access, Internet data transmission, etc.), the QKD real-time negotiation method may not be able to meet the timeliness and large-concurrency cryptographic application requirements. Therefore, the quantum cryptography service center can establish a quantum cryptography service center. Key buffer pool, pre-negotiate and store certain quantum keys to meet the needs of this type of business (Figure 10). When business is idle, the quantum cryptography service center can call QKD network capabilities to negotiate with other quantum cryptography service centers to generate quantum symmetric keys, mark them, and cache them for later use.
图10给出了归属于不同区域,从不同的量子密码服务中心A和B处获取服务的两量子密码应用设备A与C实现量子保密通信的处理流程,采用预先缓存的量子密钥来实现。Figure 10 shows the process flow of two quantum cryptography application devices A and C, which belong to different areas and obtain services from different quantum cryptography service centers A and B, to achieve quantum confidential communication, using pre-cached quantum keys.
步骤1~4与图9相同,这里不再赘述。Steps 1 to 4 are the same as in Figure 9 and will not be repeated here.
5.量子密码服务中心A根据密钥请求中携带的业务相关信息以及密钥相关信息确定本次量子保密通信业务能否采用预先协商、缓存的量子密钥来满足应用要求?如果可以,则转步骤6;否则,转入量子QKD实时协商的处理流程(见图6)。5. Based on the business-related information and key-related information carried in the key request, quantum cryptography service center A determines whether the quantum secret communication service can use pre-negotiated and cached quantum keys to meet application requirements? If yes, go to step 6; otherwise, go to the quantum QKD real-time negotiation process (see Figure 6).
6.量子密码服务中心A为本次量子保密通信的密码请求生成事务标识TID,确定目的端归属量子密码服务中心并向其发送量子密码业务请求消息。其中,携带源端和目的端量子密码应用设备的标识/地址A和C、事务标识TID、业务相关信息、量子密钥相关信息等。6. Quantum cryptography service center A generates a transaction identifier TID for the cryptographic request of this quantum confidential communication, determines that the destination belongs to the quantum cryptography service center, and sends a quantum cryptography service request message to it. Among them, it carries the identification/address A and C of the source and destination quantum cryptography application equipment, transaction identification TID, business-related information, quantum key-related information, etc.
7.量子密码服务中心B返回量子密码业务响应消息进行确认。消息中包括事务标识TID。7. Quantum cryptography service center B returns the quantum cryptography service response message for confirmation. The message includes the transaction identifier TID.
8.协商成功后,量子密码服务中心A向量子密码应用设备A返回密钥响应消息,其中携带事务标识TID及量子密钥K,可选携带密钥相关信息等内容。密钥相关信息可包含系统自定义的参数内容,例如,密钥的生成时间、密钥生存期等信息。8. After the negotiation is successful, quantum cryptography service center A returns a key response message to quantum cryptography application device A, which carries the transaction identifier TID and quantum key K, and optionally carries key-related information and other content. Key-related information may include system-customized parameter content, such as key generation time, key lifetime, and other information.
9.量子密码应用设备A向C发送密钥通知消息,其中携带事务标识TID,用于通知对端获取已协商的量子密钥K。9. Quantum cryptography application device A sends a key notification message to C, which carries the transaction identifier TID, which is used to notify the peer to obtain the negotiated quantum key K.
10.量子密码应用设备C向其归属的量子密码服务中心B发送密钥请求,其中携带事务标识TID,并可携带通信的源端和目的端的标识/地址A和C。10. Quantum cryptography application device C sends a key request to its home quantum cryptography service center B, which carries the transaction identifier TID and can carry the identities/addresses A and C of the source and destination of the communication.
11.基于事务标识TID信息,量子密码服务中心B查找相对应的量子密钥K,并通过密钥响应消息反馈给量子密码应用设备C。消息中还可携带密钥相关信息,用于提供系统自定义的参数内容,例如,密钥的生成时间、密钥生存期等信息。11. Based on the transaction identification TID information, the quantum cryptography service center B searches for the corresponding quantum key K and feeds it back to the quantum cryptography application device C through the key response message. The message can also carry key-related information to provide system-customized parameter content, such as key generation time, key lifetime, and other information.
12.接收到密钥响应之后,量子密码应用设备C向A返回密钥应答消息,告知对端本次通信会话将使用的量子对称密钥K已获取成功。12. After receiving the key response, the quantum cryptography application device C returns a key response message to A, informing the peer that the quantum symmetric key K to be used in this communication session has been successfully obtained.
13.基于获取到的量子密钥K,量子密码应用设备A和C可以开始量子保密通信。13. Based on the obtained quantum key K, quantum cryptography application equipment A and C can start quantum secure communication.
需要说明的是,本公开提供了多个实施例,多个实施例之间的排列组合也属于本公开的保护范围内。It should be noted that the present disclosure provides multiple embodiments, and permutations and combinations of multiple embodiments also fall within the protection scope of the present disclosure.
如图11所示,本公开实施例还提供一种量子保密通信装置,应用于第一设备,包括:As shown in Figure 11, an embodiment of the present disclosure also provides a quantum secure communication device, applied to the first device, including:
处理模块1101,用于从第一网络获取第一量子密钥和/或第一量子随机数,或从本地获取第一量子密钥和/或第一量子随机数;The processing module 1101 is used to obtain the first quantum key and/or the first quantum random number from the first network, or obtain the first quantum key and/or the first quantum random number locally;
发送模块1102,用于向第二设备提供第二量子密钥和/或第二量子随机数。The sending module 1102 is used to provide the second quantum key and/or the second quantum random number to the second device.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
判断模块,用于判断目的端第二设备是否属于本区域节点。The judgment module is used to judge whether the second device at the destination belongs to the node in this area.
作为一个可选实施例,所述判断模块包括:As an optional embodiment, the judgment module includes:
第一子模块,用于接收源端第二设备发送的第一消息;所述第一消息携带目的端第二设备的设备相关信息;The first sub-module is used to receive the first message sent by the second device at the source end; the first message carries device-related information of the second device at the destination end;
第二子模块,用于根据目的端第二设备的设备相关信息判断目的端第二设备是否属于本区域节点。The second submodule is used to determine whether the second device at the destination belongs to a node in this area based on the device-related information of the second device at the destination.
作为一个可选实施例,所述发送模块包括: As an optional embodiment, the sending module includes:
第一发送子模块,用于为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数。The first sending sub-module is used to provide the second quantum key and/or the second quantum random number to the second source device and the second destination device.
作为一个可选实施例,所述发送子模块进一步用于:As an optional embodiment, the sending sub-module is further used to:
直接为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数;Directly providing the second quantum key and/or the second quantum random number to the source second device and the destination second device;
或,仅向部分第二设备提供第二量子密钥和/或第二量子随机数,使所述部分第二设备向参与通信的其他第二设备发送第二量子密钥和/或第二量子随机数。Or, only provide the second quantum key and/or the second quantum random number to some second devices, so that some second devices send the second quantum key and/or the second quantum random number to other second devices participating in the communication. random number.
作为一个可选实施例,所述提供第二量子密钥和/或第二量子随机数,包括:As an optional embodiment, providing a second quantum key and/or a second quantum random number includes:
为第二设备提供对应的第二量子密钥和/或第二量子随机数;Provide the second device with the corresponding second quantum key and/or second quantum random number;
或,对第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,再提供加密处理后的第二量子密钥和/或第二量子随机数。Or, encrypt the second quantum key and/or the second quantum random number corresponding to the second device, and then provide the encrypted second quantum key and/or the second quantum random number.
作为一个可选实施例,所述对各第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,包括:As an optional embodiment, encrypting the second quantum key and/or the second quantum random number corresponding to each second device separately includes:
利用第一密钥对所述第二量子密钥和/或第二量子随机数进行加密处理;其中,所述第一密钥为第一设备与各第二设备之间对称密钥;Using a first key to encrypt the second quantum key and/or the second quantum random number; wherein the first key is a symmetric key between the first device and each second device;
或,利用第二设备的数字证书所对应的公钥对所述第二量子密钥和/或第二量子随机数进行加密处理。Or, use the public key corresponding to the digital certificate of the second device to encrypt the second quantum key and/or the second quantum random number.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
消息接收模块,用于接收源端第二设备发送的第一消息;所述第一消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第一标识;A message receiving module, configured to receive the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, and key-related information of the second device at the destination end. , first identification;
确定模块,用于得到第二量子密钥和/或第二量子随机数,以及第一标识;Determining module, used to obtain the second quantum key and/or the second quantum random number, and the first identification;
信息提供模块,用于向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识。An information providing module, configured to provide the second quantum key and/or the second quantum random number, and the first identification to the second source device and/or the second destination device.
作为一个可选实施例,所述向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识,包括以下几种中的一种: As an optional embodiment, providing the second quantum key and/or the second quantum random number, and the first identification to the source second device and/or the destination second device include the following: A kind of:
向源端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使源端第二设备向目的端第二设备发送所述第一标识;Provide the second quantum key and/or the second quantum random number and the first identification to the source second device, so that the source second device sends the first identification to the destination second device;
向目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使目的端第二设备向源端第二设备所述第一标识;Provide the second quantum key and/or the second quantum random number and the first identification to the second device at the destination end, so that the second device at the destination end provides the first identification to the second device at the source end;
向源端第二设备以及目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识。A second quantum key and/or a second quantum random number and the first identification are provided to the source-side second device and the destination-side second device.
作为一个可选实施例,所述处理模块包括:As an optional embodiment, the processing module includes:
第三子模块,用于接收源端第二设备发送用于请求量子密钥的第二消息;The third submodule is used to receive the second message sent by the second device at the source end to request the quantum key;
第四子模块,用于向QKD网络中的第一KM发送第四消息;The fourth sub-module is used to send the fourth message to the first KM in the QKD network;
第五子模块,用于接收第一KM发送的第一量子密钥和/或第一量子随机数。The fifth sub-module is used to receive the first quantum key and/or the first quantum random number sent by the first KM.
作为一个可选实施例,所述第一量子密钥是第一KM在接收到所述第四消息后,与第二KM协商得到的。As an optional embodiment, the first quantum key is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第三确定模块,用于确定需要第一KM提供第一量子密钥,或第一设备确定当前缓存池中的第一量子密钥不能满足使用需求。The third determination module is used to determine that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current buffer pool cannot meet the usage requirements.
作为一个可选实施例,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;As an optional embodiment, the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
相应地,所述方法还包括:Correspondingly, the method also includes:
第一设备根据所述第二消息获得第二标识,或第一设备为本次请求分配第二标识。The first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
作为一个可选实施例,发送模块包括:As an optional embodiment, the sending module includes:
第二发送子模块,用于向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。The second sending submodule is used to provide the second quantum key and/or the second quantum random number, and the second identification to the second source device.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第四发送模块,用于向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。The fourth sending module is configured to send a third message to a third device that provides quantum key services for the second device at the destination.
作为一个可选实施例,所述第三消息中携带所述第二标识。As an optional embodiment, the third message carries the second identifier.
作为一个可选实施例,所述第三消息用于: As an optional embodiment, the third message is used for:
使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第六接收模块,用于接收源端第二设备发送用于请求量子密钥的第二消息;A sixth receiving module, configured to receive a second message sent by the second device at the source end to request a quantum key;
信息获取模块,用于从缓存池中获取第一量子密钥和/或第一量子随机数。An information acquisition module is used to acquire the first quantum key and/or the first quantum random number from the cache pool.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第三处理模块,用于将从第一网络处获取的第一量子密钥和/或第一量子随机数存储,得到所述缓存池;A third processing module, configured to store the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool;
其中,所述缓存池中的第一量子密钥,是QKD网络中的第一KM与第二KM协商得到的。The first quantum key in the cache pool is obtained through negotiation between the first KM and the second KM in the QKD network.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第四确定模块,用于确定从缓存池中获取第一量子密钥。The fourth determination module is used to determine to obtain the first quantum key from the cache pool.
作为一个可选实施例,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;As an optional embodiment, the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
相应地,所述装置还包括:Correspondingly, the device also includes:
第四处理模块,用于根据所述第二消息获得第二标识,或第一设备为本次密钥服务分配第二标识。The fourth processing module is configured to obtain a second identity according to the second message, or the first device allocates a second identity to this key service.
作为一个可选实施例,所述发送模块包括:As an optional embodiment, the sending module includes:
第三发送子模块,用于向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。The third sending sub-module is used to provide the second quantum key and/or the second quantum random number, and the second identification to the second source device.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第七发送模块,用于向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。The seventh sending module is used to send a third message to a third device that provides quantum key services for the second device at the destination.
作为一个可选实施例,所述第三消息中携带所述第二标识。As an optional embodiment, the third message carries the second identifier.
作为一个可选实施例,所述第三消息用于: As an optional embodiment, the third message is used for:
使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
作为一个可选实施例,所述第三消息中携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。As an optional embodiment, the third message carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
作为一个可选实施例,所述第三标识用于:As an optional embodiment, the third identifier is used for:
使得第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。The third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第八接收模块,用于接收第三设备发送的第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。The eighth receiving module is configured to receive a third identification sent by a third device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
作为一个可选实施例,所述发送模块包括:As an optional embodiment, the sending module includes:
第四发送子模块,用于向第二设备提供第二量子密钥和/或第二量子随机数,所述第二量子密钥和/或第二量子随机数用于被第二设备使用进行安全应用。The fourth sending sub-module is used to provide the second quantum key and/or the second quantum random number to the second device, and the second quantum key and/or the second quantum random number are used to be used by the second device. Safe application.
作为一个可选实施例,所述第二量子密钥和/或第二量子随机数用于作为会话密钥、密钥保护密钥、根密钥、主密钥、加密存储密钥、认证密钥,被第二设备所使用。As an optional embodiment, the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, an encryption storage key, and an authentication key. key, used by the second device.
作为一个可选实施例,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括以下情况中的至少一种:As an optional embodiment, providing the second quantum key and/or the second quantum random number to the second device includes at least one of the following situations:
向第二设备在线发送第二量子密钥和/或第二量子随机数;Send the second quantum key and/or the second quantum random number to the second device online;
向第二设备离线灌装第二量子密钥和/或第二量子随机数;Offline filling of the second quantum key and/or the second quantum random number into the second device;
通过有线的方式向第二设备提供第二量子密钥和/或第二量子随机数;Provide the second quantum key and/or the second quantum random number to the second device in a wired manner;
通过无线的方式向第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device in a wireless manner.
本公开实施例中,通过第一设备以松耦合的方式实现用户网络和第一网络的融合对接,从而满足未来网络及业务对于量子密码多样化、大规模应用的需求。 In the embodiment of the present disclosure, the first device is used to realize the integration and docking of the user network and the first network in a loosely coupled manner, thereby meeting the needs of future networks and services for diversified and large-scale applications of quantum cryptography.
需要说明的是,本公开实施例提供的量子保密通信装置是能够执行上述量子保密通信方法的装置,则上述量子保密通信方法的所有实施例均适用于该装置,且均能达到相同或相似的有益效果。It should be noted that the quantum secure communication device provided by the embodiments of the present disclosure is a device that can perform the above-mentioned quantum secure communication method, then all embodiments of the above-mentioned quantum secure communication method are applicable to this device, and can achieve the same or similar performance. beneficial effects.
如图12所示,本公开实施例一种设备,包括存储器1210、处理器1200及存储在所述存储器1210上并可在所述处理器1200上运行的程序,所述处理器1200执行所述程序时实现如上所述的量子保密通信方法实施例中的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。As shown in Figure 12, a device according to an embodiment of the present disclosure includes a memory 1210, a processor 1200, and a program stored on the memory 1210 and executable on the processor 1200. The processor 1200 executes the The program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technical effect. To avoid duplication, it will not be described again here.
本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上所述的量子保密通信方法实施例中的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。其中,所述的计算机可读存储介质,如只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等。Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When executed by a processor, the program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technology. The effect will not be described here to avoid repetition. Among them, the computer-readable storage medium is such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.
如图13所示,本公开实施例还提供一种量子保密通信装置,应用于第三设备,包括:As shown in Figure 13, an embodiment of the present disclosure also provides a quantum secure communication device, applied to a third device, including:
接收单元1301,用于接收QKD网络中的第二KM发送的第一量子密钥和/或第量子随机数,或从缓存池中获取第一量子密钥和/或第一量子随机数;The receiving unit 1301 is configured to receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or obtain the first quantum key and/or the first quantum random number from the buffer pool;
发送单元1302,用于向目的端第二设备提供第二量子密钥和/或第二量子随机数。The sending unit 1302 is configured to provide the second quantum key and/or the second quantum random number to the second device at the destination.
作为一个可选实施例,所述发送单元包括:As an optional embodiment, the sending unit includes:
第一发送子单元,用于向QKD网络中的第二KM发送第七消息,接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数;The first sending subunit is used to send the seventh message to the second KM in the QKD network, and receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network;
或,用于通过监听模式,等待QKD网络中的第二KM发送第一量子密钥和/或第一量子随机数。Or, it is used to wait for the second KM in the QKD network to send the first quantum key and/or the first quantum random number through the listening mode.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第一接收单元,用于接收为源端第二设备提供量子密钥服务的第一设备发送的第三消息。The first receiving unit is configured to receive the third message sent by the first device that provides quantum key services for the second source device.
作为一个可选实施例,所述第三消息中还携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。As an optional embodiment, the third message also carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
作为一个可选实施例,所述装置还包括: As an optional embodiment, the device further includes:
获取单元,用于根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。An acquisition unit, configured to acquire the corresponding first quantum key and/or first quantum random number from the cache pool according to the third identification.
作为一个可选实施例,所述装置还包括:As an optional embodiment, the device further includes:
第二发送单元,用于在接收到所述第三消息后,向第一设备发送第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。The second sending unit is configured to send a third identification to the first device after receiving the third message, where the third identification is used to identify the first quantum key and/or the first quantum random number.
作为一个可选实施例,所述发送单元进一步用于:As an optional embodiment, the sending unit is further used to:
主动向目的端第二设备提供第二量子密钥和/或第二量子随机数;Actively provide the second quantum key and/or the second quantum random number to the destination second device;
或,在接收到目的端第二设备发送的第五消息后,向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, after receiving the fifth message sent by the second device at the destination, provide the second quantum key and/or the second quantum random number to the second device at the destination.
作为一个可选实施例,所述第三消息中携带第二标识。As an optional embodiment, the third message carries the second identifier.
作为一个可选实施例,所述发送单元进一步用于:As an optional embodiment, the sending unit is further used to:
在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;Provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
或,在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when receiving the fifth message sent by the second device at the destination and carrying the second identifier, provide the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. random number.
本公开实施例中,通过第一设备以松耦合的方式实现用户网络和第一网络的融合对接,从而满足未来网络及业务对于量子密码多样化、大规模应用的需求。In the embodiment of the present disclosure, the first device is used to realize the integration and docking of the user network and the first network in a loosely coupled manner, thereby meeting the needs of future networks and services for diversified and large-scale applications of quantum cryptography.
需要说明的是,本公开实施例提供的量子保密通信装置是能够执行上述量子保密通信方法的装置,则上述量子保密通信方法的所有实施例均适用于该装置,且均能达到相同或相似的有益效果。It should be noted that the quantum secure communication device provided by the embodiments of the present disclosure is a device that can perform the above-mentioned quantum secure communication method, then all embodiments of the above-mentioned quantum secure communication method are applicable to this device, and can achieve the same or similar performance. beneficial effects.
如图14所示,本公开实施例还提供一种设备,包括存储器1410、处理器1400及存储在所述存储器1410上并可在所述处理器1400上运行的程序,所述处理器1400执行所述程序时实现如上所述的量子保密通信方法实施例中的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。As shown in Figure 14, an embodiment of the present disclosure also provides a device, including a memory 1410, a processor 1400, and a program stored on the memory 1410 and executable on the processor 1400. The processor 1400 executes The program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technical effect. To avoid repetition, it will not be described again here.
本公开实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上所述的量子保密通信方法实施例中的各个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。其中,所述的计算机可读存储介质,如只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等。Embodiments of the present disclosure also provide a computer-readable storage medium on which a computer program is stored. When executed by a processor, the program implements each process in the quantum secure communication method embodiment as described above, and can achieve the same technology. The effect will not be described here to avoid repetition. Among them, the computer-readable storage medium is such as read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, etc.
本公开实施例还提供一种量子密码服务网络,包括若干个如上所述的第一设备,和/或若干个如上所述的第三设备。Embodiments of the present disclosure also provide a quantum cryptography service network, including several first devices as described above, and/or several third devices as described above.
需要说明的是,量子密码服务网络还可以被称为量子密钥服务网络、量子密码/密钥服务(网络)层、量子密码/密钥(安全)服务中间层、量子密码/密钥安全服务网络/服务层、量子密码/密钥基础网络/服务层等。It should be noted that the quantum cryptography service network can also be called quantum key service network, quantum cryptography/key service (network) layer, quantum cryptography/key (security) service middle layer, quantum cryptography/key security service Network/service layer, quantum cryptography/key based network/service layer, etc.
本公开实施例还提供一种量子保密通信系统,包括:如上所述的量子密码服务网络、第一网络以及用户网络。Embodiments of the present disclosure also provide a quantum secure communication system, including: the quantum cryptography service network, the first network and the user network as described above.
需要说明的是,量子密码服务网络还可以被称为量子密钥服务网络、量子密码/密钥服务(网络)层、量子密码/密钥(安全)服务中间层、量子密码/密钥安全服务网络/服务层、量子密码/密钥基础网络/服务层等。It should be noted that the quantum cryptography service network can also be called quantum key service network, quantum cryptography/key service (network) layer, quantum cryptography/key (security) service middle layer, quantum cryptography/key security service Network/service layer, quantum cryptography/key based network/service layer, etc.
本领域内的技术人员应明白,本公开的实施例可提供为方法、系统或计算机程序产品。因此,本公开可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本公开可采用在一个或多个其中包含有计算机可用程序代码的计算机可读存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present disclosure may be provided as methods, systems, or computer program products. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, magnetic disk storage, optical storage, and the like) embodying computer-usable program code therein.
本公开是参照根据本公开实施例的方法、设备(系统)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其它可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其它可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或一个方框或多个方框中指定的功能的装置。The disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a A device for realizing the functions specified in one process or processes and/or one block or multiple blocks in the flowchart.
这些计算机程序指令也可存储在能引导计算机或其它可编程数据处理设备以特定方式工作的计算机可读存储介质中,使得存储在该计算机可读存储介质中的指令产生包括指令装置的纸制品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable storage medium capable of directing a computer or other programmable data processing apparatus to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce a paper product including instruction means, The instruction means implements the functions specified in a process or processes of the flowchart and/or a block or blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其它可编程数据处理设备上, 使得计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他科编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device, Causes a sequence of operational steps to be performed on a computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide for implementing a process or processes in a flowchart and/or a block diagram The steps for a function specified in a box or boxes.
以上所述是本公开的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本公开所述原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本公开的保护范围。 The above are the preferred embodiments of the present disclosure. It should be noted that those of ordinary skill in the art can also make several improvements and modifications without departing from the principles described in the present disclosure. These improvements and modifications It should also be regarded as the protection scope of this disclosure.

Claims (48)

  1. 一种量子保密通信方法,包括:A quantum secure communication method, including:
    第一设备从第一网络获取第一量子密钥和/或第一量子随机数,或从本地获取第一量子密钥和/或第一量子随机数;The first device obtains the first quantum key and/or the first quantum random number from the first network, or obtains the first quantum key and/or the first quantum random number locally;
    向第二设备提供第二量子密钥和/或第二量子随机数。A second quantum key and/or a second quantum random number are provided to the second device.
  2. 根据权利要求1所述的方法,所述方法还包括:The method of claim 1, further comprising:
    所述第一设备判断目的端第二设备是否属于本区域节点。The first device determines whether the second device at the destination belongs to a node in this area.
  3. 根据权利要求2所述的方法,其中,所述第一设备判断目的端第二设备是否属于本区域节点,包括:The method according to claim 2, wherein the first device determines whether the second device at the destination belongs to a node in this area, including:
    所述第一设备接收源端第二设备发送的第一消息;所述第一消息携带目的端第二设备的设备相关信息;The first device receives the first message sent by the second device at the source end; the first message carries device-related information of the second device at the destination end;
    根据目的端第二设备的设备相关信息判断目的端第二设备是否属于本区域节点。Determine whether the second device at the destination belongs to a node in this area according to the device-related information of the second device at the destination.
  4. 根据权利要求1-3任一项所述的方法,其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:The method according to any one of claims 1-3, wherein said providing the second quantum key and/or the second quantum random number to the second device includes:
    为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数。A second quantum key and/or a second quantum random number are provided for the second device at the source end and the second device at the destination end.
  5. 根据权利要求4所述的方法,其中,向多个第二设备提供第二量子密钥和/或第二量子随机数,包括:The method of claim 4, wherein providing a second quantum key and/or a second quantum random number to a plurality of second devices includes:
    所述第一设备直接为源端第二设备和目的端第二设备提供第二量子密钥和/或第二量子随机数;The first device directly provides the second quantum key and/or the second quantum random number to the second source device and the second destination device;
    或,所述第一设备仅向部分第二设备提供第二量子密钥和/或第二量子随机数,使所述部分第二设备向参与通信的其他第二设备发送第二量子密钥和/或第二量子随机数。Or, the first device only provides the second quantum key and/or the second quantum random number to some of the second devices, causing the part of the second devices to send the second quantum key and/or the second quantum key to other second devices participating in the communication. /or second quantum random number.
  6. 根据权利要求1所述的方法,其中,所述提供第二量子密钥和/或第二量子随机数,包括:The method according to claim 1, wherein said providing a second quantum key and/or a second quantum random number includes:
    为第二设备提供对应的第二量子密钥和/或第二量子随机数;Provide the second device with the corresponding second quantum key and/or second quantum random number;
    或,对第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,再提供加密处理后的第二量子密钥和/或第二量子随机数。Or, encrypt the second quantum key and/or the second quantum random number corresponding to the second device, and then provide the encrypted second quantum key and/or the second quantum random number.
  7. 根据权利要求6所述的方法,其中,对各第二设备对应的第二量子密钥和/或第二量子随机数分别进行加密处理,包括:The method according to claim 6, wherein encrypting the second quantum key and/or the second quantum random number corresponding to each second device respectively includes:
    利用第一密钥对所述第二量子密钥和/或第二量子随机数进行加密处理;其中,所述第一密钥为第一设备与各第二设备之间对称密钥;Using a first key to encrypt the second quantum key and/or the second quantum random number; wherein the first key is a symmetric key between the first device and each second device;
    或,利用第二设备的数字证书所对应的公钥对所述第二量子密钥和/或第二量子随机数进行加密处理。Or, use the public key corresponding to the digital certificate of the second device to encrypt the second quantum key and/or the second quantum random number.
  8. 根据权利要求1所述的方法,所述方法还包括:The method of claim 1, further comprising:
    所述第一设备接收源端第二设备发送的第一消息;所述第一消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第一标识;The first device receives the first message sent by the second device at the source end; the first message carries at least one of the following information: device-related information, service-related information, key-related information of the second device at the destination end, first identification;
    得到第二量子密钥和/或第二量子随机数,以及第一标识;Obtain the second quantum key and/or the second quantum random number, and the first identification;
    向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识。A second quantum key and/or a second quantum random number, and the first identification are provided to the second device at the source end and/or the second device at the destination end.
  9. 根据权利要求8所述的方法,其中,所述向源端第二设备和/或目的端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第一标识,包括以下几种中的一种:The method according to claim 8, wherein said providing a second quantum key and/or a second quantum random number to the source second device and/or the destination second device, and the first identification includes: One of the following:
    向源端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使源端第二设备向目的端第二设备发送所述第一标识;Provide the second quantum key and/or the second quantum random number and the first identification to the source second device, so that the source second device sends the first identification to the destination second device;
    向目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识,以使目的端第二设备向源端第二设备所述第一标识;Provide the second quantum key and/or the second quantum random number and the first identification to the second device at the destination end, so that the second device at the destination end provides the first identification to the second device at the source end;
    向源端第二设备以及目的端第二设备提供第二量子密钥和/或第二量子随机数以及所述第一标识。A second quantum key and/or a second quantum random number and the first identification are provided to the source-side second device and the destination-side second device.
  10. 根据权利要求1-3任一项所述的方法,其中,所述第一设备从第一网络获取第一量子密钥和/或第一量子随机数,包括:The method according to any one of claims 1-3, wherein the first device obtains the first quantum key and/or the first quantum random number from the first network, including:
    第一设备接收源端第二设备发送用于请求量子密钥的第二消息;The first device receives a second message sent by the second device at the source end for requesting a quantum key;
    向量子密钥分发QKD网络中的第一密钥管理器KM发送第四消息;Send a fourth message to the first key manager KM in the quantum key distribution QKD network;
    接收第一KM发送的第一量子密钥和/或第一量子随机数。Receive the first quantum key and/or the first quantum random number sent by the first KM.
  11. 根据权利要求10所述的方法,其中,所述第一量子密钥是第一KM在接收到所述第四消息后,与第二KM协商得到的。The method according to claim 10, wherein the first quantum key is obtained by negotiation between the first KM and the second KM after receiving the fourth message.
  12. 根据权利要求10所述的方法,所述方法还包括:The method of claim 10, further comprising:
    第一设备确定需要第一KM提供第一量子密钥,或第一设备确定当前缓存池中的第一量子密钥不能满足使用需求。The first device determines that the first KM is required to provide the first quantum key, or the first device determines that the first quantum key in the current cache pool cannot meet the usage requirements.
  13. 根据权利要求10所述的方法,其中,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;The method according to claim 10, wherein the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
    相应地,所述方法还包括:Correspondingly, the method also includes:
    第一设备根据所述第二消息获得第二标识,或第一设备为本次请求分配第二标识。The first device obtains the second identity according to the second message, or the first device allocates the second identity to this request.
  14. 根据权利要求13所述的方法,其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:The method according to claim 13, wherein said providing the second quantum key and/or the second quantum random number to the second device includes:
    向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。Provide a second quantum key and/or a second quantum random number, and the second identification to the second device at the source end.
  15. 根据权利要求10所述的方法,所述方法还包括:The method of claim 10, further comprising:
    向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。Send a third message to a third device that provides a quantum key service for the second device at the destination.
  16. 根据权利要求15所述的方法,其中,所述第三消息中携带第二标识。The method according to claim 15, wherein the third message carries a second identifier.
  17. 根据权利要求16所述的方法,其中,所述第三消息用于:The method of claim 16, wherein the third message is used for:
    使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
    或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  18. 根据权利要求1-3任一项所述的方法,所述方法还包括:The method according to any one of claims 1-3, further comprising:
    第一设备接收源端第二设备发送用于请求量子密钥的第二消息;The first device receives a second message sent by the second device at the source end for requesting a quantum key;
    从缓存池中获取第一量子密钥和/或第一量子随机数。Obtain the first quantum key and/or the first quantum random number from the cache pool.
  19. 根据权利要求18所述的方法,所述方法还包括:The method of claim 18, further comprising:
    第一设备将从第一网络处获取的第一量子密钥和/或第一量子随机数存储,得到所述缓存池; The first device stores the first quantum key and/or the first quantum random number obtained from the first network to obtain the cache pool;
    其中,所述缓存池中的第一量子密钥,是QKD网络中的第一KM与第二KM协商得到的。The first quantum key in the cache pool is obtained through negotiation between the first KM and the second KM in the QKD network.
  20. 根据权利要求18所述的方法,所述方法还包括:The method of claim 18, further comprising:
    第一设备确定从缓存池中获取第一量子密钥。The first device determines to obtain the first quantum key from the cache pool.
  21. 根据权利要求18所述的方法,其中,所述第二消息携带以下信息中的至少之一:目的端第二设备的设备相关信息、业务相关信息、密钥相关信息、第二标识;The method according to claim 18, wherein the second message carries at least one of the following information: device-related information, service-related information, key-related information, and second identification of the second device at the destination;
    相应地,所述方法还包括:Correspondingly, the method also includes:
    第一设备根据所述第二消息获得第二标识,或第一设备为本次密钥服务分配第二标识。The first device obtains the second identity according to the second message, or the first device allocates the second identity for this key service.
  22. 根据权利要求21所述的方法,其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:The method according to claim 21, wherein providing the second quantum key and/or the second quantum random number to the second device includes:
    向源端第二设备提供第二量子密钥和/或第二量子随机数,以及所述第二标识。Provide a second quantum key and/or a second quantum random number, and the second identification to the second device at the source end.
  23. 根据权利要求18所述的方法,所述方法还包括:The method of claim 18, further comprising:
    向为目的端第二设备提供量子密钥服务的第三设备发送第三消息。Send a third message to a third device that provides a quantum key service for the second device at the destination.
  24. 根据权利要求23所述的方法,其中,所述第三消息中携带第二标识。The method according to claim 23, wherein the third message carries a second identifier.
  25. 根据权利要求24所述的方法,其中,所述第三消息用于:The method of claim 24, wherein the third message is used for:
    使得第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;causing the third device to provide the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
    或,使得第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when the third device receives the fifth message carrying the second identifier sent by the second device at the destination, it provides the second quantum key and/or the second quantum key to the second device at the destination according to the second identifier. Or second quantum random number.
  26. 根据权利要求23所述的方法,其中,所述第三消息中携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。The method according to claim 23, wherein the third message carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  27. 根据权利要求26所述的方法,其中,所述第三标识用于:The method of claim 26, wherein the third identification is used for:
    使得第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。The third device is caused to obtain the corresponding first quantum key and/or the first quantum random number from the cache pool according to the third identification.
  28. 根据权利要求23所述的方法,所述方法还包括: The method of claim 23, further comprising:
    接收第三设备发送的第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。Receive a third identification sent by a third device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
  29. 根据权利要求1所述的方法,其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括:The method according to claim 1, wherein said providing the second quantum key and/or the second quantum random number to the second device includes:
    向第二设备提供第二量子密钥和/或第二量子随机数,所述第二量子密钥和/或第二量子随机数用于被第二设备使用进行安全应用。A second quantum key and/or a second quantum random number are provided to the second device for use by the second device for security applications.
  30. 根据权利要求29所述的方法,其中,所述第二量子密钥和/或第二量子随机数用于作为会话密钥、密钥保护密钥、根密钥、主密钥、加密存储密钥、认证密钥,被第二设备所使用。The method according to claim 29, wherein the second quantum key and/or the second quantum random number are used as a session key, a key protection key, a root key, a master key, and an encrypted storage key. The key, the authentication key, is used by the second device.
  31. 根据权利要求1所述的方法,其中,所述向第二设备提供第二量子密钥和/或第二量子随机数,包括以下情况中的至少一种:The method according to claim 1, wherein providing the second quantum key and/or the second quantum random number to the second device includes at least one of the following situations:
    向第二设备在线发送第二量子密钥和/或第二量子随机数;Send the second quantum key and/or the second quantum random number to the second device online;
    向第二设备离线灌装第二量子密钥和/或第二量子随机数;Offline filling of the second quantum key and/or the second quantum random number into the second device;
    通过有线的方式向第二设备提供第二量子密钥和/或第二量子随机数;Provide the second quantum key and/or the second quantum random number to the second device in a wired manner;
    通过无线的方式向第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device in a wireless manner.
  32. 一种量子保密通信装置,包括:A quantum secure communication device, including:
    处理模块,用于从第一网络获取第一量子密钥和/或第一量子随机数,或从本地获取第一量子密钥和/或第一量子随机数;A processing module, configured to obtain the first quantum key and/or the first quantum random number from the first network, or obtain the first quantum key and/or the first quantum random number locally;
    发送模块,用于向第二设备提供第二量子密钥和/或第二量子随机数。A sending module, configured to provide the second quantum key and/or the second quantum random number to the second device.
  33. 一种设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;其中,所述处理器执行所述程序时实现如权利要求1-31任一项所述的方法。A device, including a memory, a processor, and a program stored on the memory and executable on the processor; wherein, when the processor executes the program, the implementation of any one of claims 1-31 is achieved. method described.
  34. 一种计算机可读存储介质,其上存储有计算机程序,其中,该程序被处理器执行时实现如权利要求1-31任一项所述方法中的步骤。A computer-readable storage medium on which a computer program is stored, wherein when the program is executed by a processor, the steps in the method of any one of claims 1-31 are implemented.
  35. 一种量子保密通信方法,包括;A quantum secure communication method including;
    接收QKD网络中的第二KM发送的第一量子密钥和/或第量子随机数,或从缓存池中获取第一量子密钥和/或第一量子随机数;Receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or obtain the first quantum key and/or the first quantum random number from the buffer pool;
    向目的端第二设备提供第二量子密钥和/或第二量子随机数。Provide the second quantum key and/or the second quantum random number to the second device at the destination.
  36. 根据权利要求35所述的方法,其中,所述接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数,包括:The method of claim 35, wherein receiving the first quantum key and/or the first quantum random number sent by the second KM in the QKD network includes:
    向QKD网络中的第二KM发送第七消息,接收QKD网络中的第二KM发送的第一量子密钥和/或第一量子随机数;Send the seventh message to the second KM in the QKD network, and receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network;
    或,通过监听模式,等待QKD网络中的第二KM发送第一量子密钥和/或第一量子随机数。Or, through listening mode, wait for the second KM in the QKD network to send the first quantum key and/or the first quantum random number.
  37. 根据权利要求35所述的方法,所述方法还包括:The method of claim 35, further comprising:
    接收为源端第二设备提供量子密钥服务的第一设备发送的第三消息。Receive a third message sent by a first device that provides a quantum key service for a second source device.
  38. 根据权利要求37所述的方法,其中,所述第三消息中还携带有第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。The method according to claim 37, wherein the third message also carries a third identifier, and the third identifier is used to identify the first quantum key and/or the first quantum random number.
  39. 根据权利要求38所述的方法,所述方法还包括:The method of claim 38, further comprising:
    第三设备根据所述第三标识,从缓存池中获取对应的第一量子密钥和/或第一量子随机数。The third device obtains the corresponding first quantum key and/or first quantum random number from the buffer pool according to the third identification.
  40. 根据权利要求37所述的方法,所述方法还包括:The method of claim 37, further comprising:
    在接收到所述第三消息后,向第一设备发送第三标识,所述第三标识用于标识第一量子密钥和/或第一量子随机数。After receiving the third message, a third identification is sent to the first device, where the third identification is used to identify the first quantum key and/or the first quantum random number.
  41. 根据权利要求35所述的方法,其中,所述向目的端第二设备提供第二量子密钥和/或第二量子随机数,包括:The method according to claim 35, wherein the providing the second quantum key and/or the second quantum random number to the destination second device includes:
    主动向目的端第二设备提供第二量子密钥和/或第二量子随机数;Actively provide the second quantum key and/or the second quantum random number to the destination second device;
    或,在接收到目的端第二设备发送的第五消息后,向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, after receiving the fifth message sent by the second device at the destination, provide the second quantum key and/or the second quantum random number to the second device at the destination.
  42. 根据权利要求37所述的方法,其中,所述第三消息中携带第二标识。The method according to claim 37, wherein the third message carries a second identifier.
  43. 根据权利要求42所述的方法,其中,所述向目的端第二设备提供第二量子密钥和/或第二量子随机数,包括:The method according to claim 42, wherein providing the second quantum key and/or the second quantum random number to the destination second device includes:
    第三设备在向目的端第二设备提供第二量子密钥和/或第二量子随机数的同时,提供所述第二标识;The third device provides the second identification while providing the second quantum key and/or the second quantum random number to the destination second device;
    或,第三设备在收到目的端第二设备发送的、携带有所述第二标识的第五消息时,根据所述第二标识向目的端第二设备提供第二量子密钥和/或第二量子随机数。Or, when receiving the fifth message carrying the second identifier sent by the second device at the destination, the third device provides the second quantum key and/or the second quantum key at the destination according to the second identifier. Second quantum random number.
  44. 一种量子保密通信装置,包括: A quantum secure communication device, including:
    接收单元,用于接收QKD网络中的第二KM发送的第一量子密钥和/或第量子随机数,或从缓存池中获取第一量子密钥和/或第一量子随机数;A receiving unit, configured to receive the first quantum key and/or the first quantum random number sent by the second KM in the QKD network, or to obtain the first quantum key and/or the first quantum random number from the buffer pool;
    发送单元,用于向目的端第二设备提供第二量子密钥和/或第二量子随机数。A sending unit, configured to provide the second quantum key and/or the second quantum random number to the second device at the destination.
  45. 一种设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序;其中,所述处理器执行所述程序时实现如权利要求35-43任一项所述的方法。A device, including a memory, a processor, and a program stored on the memory and executable on the processor; wherein, when the processor executes the program, the implementation of any one of claims 35-43 is achieved. method described.
  46. 一种计算机可读存储介质,其上存储有计算机程序,其中,该程序被处理器执行时实现如权利要求35-43任一项所述的方法中的步骤。A computer-readable storage medium having a computer program stored thereon, wherein the steps of the method according to any one of claims 35-43 are implemented when the program is executed by a processor.
  47. 一种量子密码服务网络,包括若干个如权利要求33所述的设备,和/或若干个如权利要求45所述的设备。A quantum cryptography service network includes several devices as claimed in claim 33, and/or several devices as claimed in claim 45.
  48. 一种量子保密通信系统,包括:如权利要求47所述的量子密码服务网络、第一网络以及用户网络。 A quantum secure communication system, including: the quantum cryptography service network as claimed in claim 47, a first network and a user network.
PCT/CN2023/093515 2022-05-16 2023-05-11 Quantum secure communication method and device, quantum password service network, and communication system WO2023221856A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210531198.0 2022-05-16
CN202210531198.0A CN117118597A (en) 2022-05-16 2022-05-16 Quantum secret communication method and device, quantum cryptography service network and communication system

Publications (1)

Publication Number Publication Date
WO2023221856A1 true WO2023221856A1 (en) 2023-11-23

Family

ID=88798872

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/093515 WO2023221856A1 (en) 2022-05-16 2023-05-11 Quantum secure communication method and device, quantum password service network, and communication system

Country Status (2)

Country Link
CN (1) CN117118597A (en)
WO (1) WO2023221856A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100299526A1 (en) * 2008-01-25 2010-11-25 Qinetiq Limited Network having quantum key distribution
CN108134671A (en) * 2018-02-07 2018-06-08 浙江神州量子通信技术有限公司 A kind of transparent encryption system and its encipher-decipher method based on quantum true random number
CN111314074A (en) * 2020-02-25 2020-06-19 南京如般量子科技有限公司 Secret sharing and timestamp based quantum secret communication key distribution and negotiation system
CN114362927A (en) * 2020-10-14 2022-04-15 中国移动通信有限公司研究院 Key agreement method, device, equipment and storage medium
CN114499834A (en) * 2021-12-20 2022-05-13 北京邮电大学 Internet of things quantum key distribution method and system, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100299526A1 (en) * 2008-01-25 2010-11-25 Qinetiq Limited Network having quantum key distribution
CN108134671A (en) * 2018-02-07 2018-06-08 浙江神州量子通信技术有限公司 A kind of transparent encryption system and its encipher-decipher method based on quantum true random number
CN111314074A (en) * 2020-02-25 2020-06-19 南京如般量子科技有限公司 Secret sharing and timestamp based quantum secret communication key distribution and negotiation system
CN114362927A (en) * 2020-10-14 2022-04-15 中国移动通信有限公司研究院 Key agreement method, device, equipment and storage medium
CN114499834A (en) * 2021-12-20 2022-05-13 北京邮电大学 Internet of things quantum key distribution method and system, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN117118597A (en) 2023-11-24

Similar Documents

Publication Publication Date Title
CN106452741B (en) The communication system and communication means of the transmission of information encryption and decryption are realized based on quantum network
CN108540436B (en) Communication system and communication method for realizing information encryption and decryption transmission based on quantum network
CN101232368B (en) Method for distributing media stream cryptographic key and multimedia subsystem
CN101340443B (en) Session key negotiating method, system and server in communication network
CN107040378A (en) A kind of key dispatching system and method based on Multi-user Remote Communication
CN108847928B (en) Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card
CN107453868A (en) A kind of safe and efficient quantum key method of servicing
CN109981584B (en) Block chain-based distributed social contact method
US20070162750A1 (en) Method for changing a group key in a group of network elements in a network system
CN102088441B (en) Data encryption transmission method and system for message-oriented middleware
CN106982419B (en) Single call end-to-end encryption method and system for broadband cluster system
CN107147492A (en) A kind of cipher key service System and method for communicated based on multiple terminals
CN111490871A (en) SM9 key authentication method and system based on quantum key cloud and storage medium
CN102088352B (en) Data encryption transmission method and system for message-oriented middleware
CN111835997B (en) Cloud video conference system based on quantum key encryption and decryption method thereof
CN104618387A (en) Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system
CN109995739A (en) A kind of information transferring method, client, server and storage medium
CN115632779A (en) Quantum encryption communication method and system based on power distribution network
CN102905199A (en) Implement method and device of multicast service and device thereof
CN109889329A (en) Anti- quantum calculation wired home quantum communications method and system based on quantum key card
CN100438614C (en) Method for realizing distributing asymmetric video conference safety system
CN111371551A (en) Quantum key synchronous relay device
WO2023221856A1 (en) Quantum secure communication method and device, quantum password service network, and communication system
CN114765546B (en) End-to-end hard encryption method, system, encryption equipment and key management server
EP3979656A1 (en) Encrypted group video system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23806808

Country of ref document: EP

Kind code of ref document: A1