CN103916239A - Quantum secret communication gateway system for financial security network - Google Patents

Abstract

The invention discloses a quantum secret communication gateway system for a financial security network. A DPI analysis module of the system conducts application layer analysis on network data streams so as to recognize service types of various applications and submit the service types to an encryption strategy selection module; the encryption strategy selection module conducts quantum key encryption or traditional key encryption or selection transparent transmission according to the priority on services of different levels on the basis of strategies; a network transparent transmission or traditional key encryption module conducts transparent transmission without encryption or conducts encryption through a traditional encryption algorithm based on algorithm safety; a quantum key encryption module conducts quantum encryption transmission. The quantum secret communication gateway system realizes distinguishing and identifying of core service flow of the financial security network, conducts hierarchical encryption on different types of service flow, selects a key distribution encryption or traditional encryption mode according to encryption strategies, realizes quantum secret communication of the core service flow of the financial security network, and gives consideration to the transmission efficiency of financial network services.

Description

A kind of quantum secret communication gateway system for financial instrument network

Technical field

The invention belongs to private communication technology field, relate in particular to a kind of quantum secret communication gateway system for financial instrument network.

Background technology

Quantum secret communication is that the one forming gradually on " Heisenberg uncertainty principle " and " quantum can not be cloned principle " is called physically the communication mode of " being perfectly safe ".Quantum secret communication, using single quantum state as information carrier, cannot be cloned because single quantum state has, and any measurement operation all can change the feature of its quantum state, and therefore listener-in cannot obtain any effective information under not found prerequisite.The legitimate receiver of information can judge in channel and exist and eavesdrop according to the change of quantum state, thus the safety of assurance communication process.Therefore the communication mode of this high safety has huge advantage compared with the traditional cipher mode based on algorithm complexity, in national defence, and military affairs, politics, the every field such as finance all have important researching value.

Eighties of last century the eighties starts, and C.H.Bennett and G.Brassard propose to utilize polarised light to carry out the agreement of quantum key distribution first, are referred to as BB84 agreement.There is again after this scientist to propose BB92, the schemes such as E91.Quantum secret communication has experienced nearly 30 years at present fundamental research and security verification, practical ripe, also must arrive countries in the world and show great attention to, and impels the speed of its industrialization accelerating.The developed countries such as the U.S., Europe, Japan have started the exploration of high speed quantum communications and extensive secret communication network, and China also classifies Quantum Secure Communication and industrialized development thereof as key research project research.

In quantum secret communication process, information carrier is single photon, consider the reason such as decay and detector detection efficient and quantum key screening error correction procedure of single photon in fiber channel, the traffic sub-key of commercial system becomes bit rate will be starkly lower than network data transmission rate at a high speed, this limitation makes Quantum Secure Communication easily become the bottleneck of express network transmission, this has limited the scope of application of quantum secret communication greatly, and its practical development process has also been brought to obstruction.

In recent years along with the fast development of national economy level, the further opening of domestic securities industry impels financial instrument network size constantly to expand, and financial institution adopts at present mostly the data networks such as Synchronous Digital Hierarchy (SDH) and asynchronous transfer mode (ATM) to provide fixing (virtual) circuit to be connected department and branch that needs are communicated by letter.The data that flow out from internal network do not add strick precaution and walk internet circuit, to use wiretap, the illegal hacker of the Means of Intrusion such as electromagnetic exposure with chance the development along with e-finance, financial field all more and more depends on computer network from fund business to information services such as office automations.

At present mainly use traditional secrete key encryption equipment or VPN technologies to be encrypted at the cipher mode of financial instrument network, the multiple cryptographic algorithm of commonly using in the world before employing, these algorithms are all the cryptographic algorithm based on algorithm complex, most internet information exchange (IKE) schemes that adopt of the technology cipher key change modes such as VPN, the key using is all on traditional network, to carry out after information exchange through calculating, and this all makes transmission exist very large security risk.Quantum key is encrypted because have Unconditional security, throughput sub-key encryption channel safe transmission reliably, but at present main quantum key distribution process, the formation speed of quantum key and size of key are all very limited, if for the high-speed transfer of financial instrument network all-network application, to affect to a great extent the efficiency of Internet Transmission, become the bottleneck of Internet Transmission.Therefore can identify in the urgent need to a kind of the service traffics that need high safety to encrypt in financial instrument network, and the technology that adopts quantum cryptography to be combined with conventional cryptography, guarantee the tight security of financial instrument network core business and the technology of efficient efficiency of transmission.

Summary of the invention

The object of the embodiment of the present invention is to provide a kind of quantum secret communication gateway system for financial instrument network, be intended to realize differentiation and the discriminating to financial instrument network core service traffics, different business flow is carried out to graded encryption, based on the level of security of business, encrypt or conventional cryptography mode according to encryption policy selected amount quantum key distribution, realize the quantum secret communication of financial instrument server service traffics, and take into account the efficiency of transmission of banking network business.

The embodiment of the present invention is to realize like this, for a quantum secret communication gateway system for financial instrument network, this quantum secret communication gateway system that is used for financial instrument network comprises: network access module, DPI analysis module, encryption policy are selected module, network transparent transmission or conventional cryptography module, quantum key encrypting module, policy library;

Network access module, has the function that extensibility network interface is selected, and according to the needs of real network wiring, plate carries multiple PCI-E interfaces, connects various wan side interfaces and local area network (LAN) end interface by conversion module;

DPI analysis module, be connected with network access module, for network data flow is carried out to application layer analysis, identify various application and content thereof, the data flow that the agreement of different application enters module according to DPI is carried out business classification, core business and transaction business in the conventional service application using for office network and finance and stock network carry out distinguishing identifier, submit to encryption policy and select module;

Encryption policy is selected module, be connected with DPI analysis module, be used for according to the actual miscellaneous service demand for security of financial instrument network rank, and quantum cryptography module quantum key generates state, in policy library, define in advance encryption policy according to user, the priority of encryption policy be divided into: must quantum cryptography, according to the quantum key encryption of quantum key condition selecting or conventional cryptography, only need conventional cryptography, do not need to encrypt four grades;

Network transparent transmission or traditional secrete key encrypting module, select module to be connected with encryption policy, for the instruction of selecting module to provide according to encryption policy, the network service traffic that does not need to be encrypted transmitted by store-and-forward mode is transparent; Adopt the flow that the conventional cryptography algorithm based on algorithm security is encrypted to pass through DES for needs, AES, 3DES, OTP, RSA, IPSEC cryptographic algorithm is encrypted;

Quantum key encrypting module, select module to be connected with encryption policy, for selecting module instruction according to encryption policy, throughput sublink and quantum key distribution equipment are held consultation, obtain current quantum key quantity and quantum key and become code check, according to current key demand of carrying out quantum cryptography business, judge negotiation, possesses quantum key distribution, carry out quantum cryptography transmission, when key deficiency or formation speed are abnormal, adopt service traffics buffer memory and cipher key store expansion technique to guarantee the smoothness transmission of quantum secret communication;

Policy library, selects module to be connected with encryption policy, for defining encryption policy.

Further, wan side interface, comprises simulation, ISDNBRI, E1/T1/T1, GSM/WCDMA, the widely used SDH of access financial instrument network, ATM, PTN special circuit; Lan interfaces connects various lan interfaces by conversion module, comprises monomode fiber interface, multimode fiber interface and Ethernet RJ-45 interface, can be accessed by and is connected with the network equipment of router, fire compartment wall or switch in local area network (LAN).

Further, the concrete methods of realizing of DPI analysis module:

After DPI engine start, the application layer protocol type using according to different business in network, load information in protocol port and network packet, utilize feature extraction algorithm to extract flow data characteristics, feature extraction has comprised application protocol type, protocol port is mapped as the feature extraction of object, also the feature extraction that to comprise the concrete load of packet deep layer be object, with the feature extraction for network flow statistical nature, DPI engine excavates the normal stable unique feature string occurring in application protocol network packet by the degree of depth, feature string is for marked network characteristics of communication protocol code, mate with financial instrument core business feature database by global characteristics vector Hash mapping table, identify current network data flow and whether belong to the core business flow that needs to guarantee by quantum cryptography its tight security in financial instrument network, for the flow that has carried out business classification, belong to financial instrument network core business.

Further, measure after adopting mutual information in information theory normalization while judging traffic characteristic and the target service category feature degree of correlation, the degree of correlation of traffic characteristic and target service class is expressed as R (f, class), computational methods as shown in the formula:

$R(f,\mathrm{class})=2\frac{I(f;\mathrm{class})}{H\left(f\right)+H\left(\mathrm{class}\right)},(0\≤R(f,\mathrm{class})\≤1)$

Wherein f and class represent respectively network flow characteristic and target service class, and H (f) and H (class) represent respectively the entropy of f and class, I (f; Class) be the mutual information of f and class;

Entropy is the probabilistic tolerance of stochastic variable, a discrete random variable X, and value space is SX, probability density function is p (x), x ∈ SX, the entropy of X is defined as:

$H\left(X\right)=-\underset{x\∈S_X}{\mathrm{\Σ}}p\left(x\right)\log p\left(x\right)$

Two discrete random variable X and Y share the degree of information and measure with mutual information:

$I(X;Y)=\underset{x\∈S_X}{\mathrm{\Σ}}\underset{y\∈S_Y}{\mathrm{\Σ}}p(x,y)\log \frac{p(x,y)}{p\left(x\right)p\left(y\right)}$

Under the known condition of variable Z, variable X and Y share the degree of information and measure with conditional mutual information:

$I(X;Y|Z)=\underset{x\∈S_X}{\mathrm{\Σ}}\underset{y\∈S_Y}{\mathrm{\Σ}}\underset{z\∈S_Z}{\mathrm{\Σ}}p(x,y,z)\log \frac{p(x,y|z)}{p\left(x\right|z)p\left(y\right|z)}.$

Further, supplement encryption policy and select the security strategy of module to formulate and be stored in by safety officer in policy library, in order to the various flows of having determined business classification are carried out to the configuration of different stage, be expressed as with 7 tuple forms:

P=<ID，BType，BLevel，EncyptPrior，QKDstatus，EncyptType，Forward>

Wherein ID is strategy numbering; BType is type of service, and BLevel is the grade of service, and EncyptPrior is for encrypting priority; The state of the current quantum key distribution system that QKDstatus provides for quantum cryptography module, EncyptType is encryption type, the object module that Forward forwards Business Stream according to encryption type difference, comprises quantum decryption module or conventional cryptography or network transparent transmission or encrypting module not;

Can carry out policy development to the various core business in financial instrument network and conventional business by user, for example as <0001, 1, 1, working:2M:50k, QEN, QM> represents a quantum key encryption policy, sequence number is 1, type of service is 1 class, User Defined, for example 1 class represents that a certain financial instrument Network is as a certain class transaction business, 1 grade of business-level, user's definition, represent the level of security that current business needs, not as 1 represents the highest level of security, the state of the current quantum key dispatching system obtaining by quantum encrypting module is: quantum key distribution system is working properly, the quantity of quantum key finalkey is greater than 2M, quantum key becomes code check to be greater than 50kbps, the communication of selected amount sub-key cipher mode, is forwarded to quantum cryptography module by these service traffics and processes.

Quantum secret communication gateway system for financial instrument network provided by the invention, by financial instrument network traffics being carried out to flow detection and the control technology DPI based on application layer, realize differentiation and discriminating to financial instrument network core service traffics, different business flow is carried out to graded encryption, based on the level of security of business, encrypt or conventional cryptography mode according to encryption policy selected amount quantum key distribution, realize the quantum secret communication of financial instrument server service traffics, and taken into account the efficiency of transmission of banking network business.

Accompanying drawing explanation

Fig. 1 is the structural representation of the quantum secret communication gateway system for financial instrument network that provides of the embodiment of the present invention;

In figure: 1, network access module; 2, DPI analysis module; 3, encryption policy is selected module; 4, network transparent transmission or conventional cryptography module; 5, quantum key encrypting module; 6, policy library;

Fig. 2 is the specific implementation flow chart of the DPI analysis module that provides of the embodiment of the present invention;

Fig. 3 is the quantum secret communication network access application gateway system integration schematic diagram of the financial instrument network that provides of the embodiment of the present invention.

Embodiment

In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with embodiment, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.

Below in conjunction with drawings and the specific embodiments, application principle of the present invention is further described.

Fig. 1 shows the structure of the quantum secret communication gateway system for financial instrument network of the present invention, as shown in the figure, the present invention is achieved in that a kind of quantum secret communication gateway system for financial instrument network comprises network access module 1, DPI (based on deep packet inspection technical) analysis module 2, encryption policy selection module 3, network transparent transmission or conventional cryptography module 4, quantum key encrypting module 5,6 six modules of policy library; Gateway system in the present invention is operated in financial instrument network wide area network and local business network and office network junction;

Network access module 1, has the function that extensibility network interface is selected, and according to the needs of real network wiring, plate carries multiple PCI-E interfaces, connects various wan side interfaces and lan interfaces by conversion module;

DPI analysis module 2, be connected with network access module 1, for network data flow is carried out to application layer analysis, identify various application and content thereof, the data flow that the agreement of different application enters module according to DPI is carried out business classification, core business and transaction business in the conventional service application using for office network and finance and stock network carry out distinguishing identifier, submit to encryption policy and select module 3;

Encryption policy is selected module 3, be connected with DPI analysis module 2, be used for according to the actual miscellaneous service demand for security of financial instrument network rank, and quantum cryptography module quantum key generates state, in policy library 6, define encryption policy in advance according to user, the priority of encryption policy can be divided into: must quantum cryptography, according to the quantum key encryption of quantum key condition selecting or conventional cryptography, only need conventional cryptography, do not need to encrypt four grades;

Network transparent transmission or traditional secrete key encrypting module 4, select module 3 to be connected with encryption policy, for the instruction of selecting module 3 to provide according to encryption policy, the network service traffic that does not need to be encrypted transmitted by store-and-forward mode is transparent; Adopt the flow that the conventional cryptography algorithm based on algorithm security is encrypted to pass through traditional DES for needs, AES, 3DES, OTP, RSA, the cryptographic algorithm such as IPSEC are encrypted;

Quantum key encrypting module 5, select module 3 to be connected with encryption policy, for selecting module 3 instructions according to encryption policy, throughput sublink and quantum key distribution equipment are held consultation, obtain current quantum key quantity and quantum key and become code check, according to current key demand of carrying out quantum cryptography business, judge negotiation, possesses quantum key distribution, carry out quantum cryptography transmission, when key deficiency or formation speed are abnormal, adopt service traffics buffer memory and cipher key store expansion technique to guarantee the smoothness transmission of quantum secret communication;

Policy library 6, selects module 3 to be connected with encryption policy, for defining encryption policy.

In conjunction with Fig. 1-Fig. 3, principle of the present invention is further described:

Network access module has the function that extensibility network interface is selected, can be according to the needs of real network wiring, plate carries multiple PCI-E interfaces, connect various wan side interfaces by conversion module, comprise the multiple interfaces such as simulation, ISDNBRI, E1/T1/T1, GSM/WCDMA, the multiple special circuits such as the accessible widely used SDH of current financial instrument network, ATM, PTN; The network equipments such as lan interfaces connects various lan interfaces by conversion module, comprises monomode fiber interface, multimode fiber interface and Ethernet RJ-45 interface, accessible router, fire compartment wall or switch with local area network (LAN) are connected;

DPI analysis module, be connected with network access module, for network data flow is carried out to the detection of depth data bag, by to Network Traffic Analysis, the fingerprint characteristic of various application and content thereof in recognition network flow, carry out business classification according to the data flow that enters DPI analysis module, core business and transaction business in the conventional service application using for office network and finance and stock network carry out distinguishing identifier, submit to encryption policy and select module;

The function of DPI analysis module enters into after the quantum secret communication network access application gateway of financial instrument network when network traffics, be submitted to DPI analysis module by network access module, DPI analysis module, be adopt multi-core parallel concurrent structure detect the module of carrying out network service traffic identification based on depth data bag, by DPI business diagnosis module, business in various financial instrument networks is distinguished, according to user network security needs, can be by the high business of part safety requirements in financial instrument core business and office network, financial instrument core business feature database and the mode identification technology specifically defined by user identify miscellaneous service,

As shown in Figure 2, the concrete methods of realizing of DPI analysis module:

After DPI engine start, the application layer protocol type using according to different business in network, load information in protocol port and network packet, utilize feature extraction algorithm to extract flow data characteristics, feature extraction has comprised application protocol type, protocol port is mapped as the feature extraction of object, also the feature extraction that to comprise the concrete load of packet deep layer be object, with the feature extraction for network flow statistical nature, DPI engine excavates the normal stable unique feature string occurring in application protocol network packet by the degree of depth, these characters are mainly used for marked network characteristics of communication protocol code, mate with financial instrument core business feature database by global characteristics vector Hash mapping table, identify current network data flow and whether belong to the core business flow that needs to guarantee by quantum cryptography its tight security in financial instrument network, for the flow that has carried out business classification, belong to financial instrument network core business, for example, with the transaction subsystem flow of transaction feature word, submitting to encryption policy with general Http flowing of access in the lower office system of security requirement etc. selects module to process,

In above process:

While judging traffic characteristic and the target service category feature degree of correlation, can adopt the mutual information in information theory and will after its normalization, measure, the degree of correlation of traffic characteristic and target service class is expressed as R (f, class), computational methods are as shown in formula (1):

$R(f,\mathrm{class})=2\frac{I(f;\mathrm{class})}{H\left(f\right)+H\left(\mathrm{class}\right)},(0\&le;R(f,\mathrm{class})\&le;1)---\left(1\right)$

Wherein f and class represent respectively described network flow characteristic and target service class, and H (f) and H (class) represent respectively the entropy of f and class, I (f; Class) be the mutual information of f and class, the basic conception about entropy, mutual information and conditional mutual information in information theory that the present invention mentions is:

Entropy is the probabilistic tolerance of stochastic variable, a discrete random variable X, and its value space is SX, probability density function is p (x), x ∈ SX, the entropy of X is defined as:

$H\left(X\right)=-\underset{x\&Element;S_X}{\mathrm{\&Sigma;}}p\left(x\right)\log p\left(x\right)---\left(2\right)$

Two discrete random variable X and Y share the degree of information and measure with mutual information:

$I(X;Y)=\underset{x\&Element;S_X}{\mathrm{\&Sigma;}}\underset{y\&Element;S_Y}{\mathrm{\&Sigma;}}p(x,y)\log \frac{p(x,y)}{p\left(x\right)p\left(y\right)}---\left(3\right)$

Under the known condition of variable Z, variable X and Y share the degree of information and measure with conditional mutual information:

$I(X;Y|Z)=\underset{x\&Element;S_X}{\mathrm{\&Sigma;}}\underset{y\&Element;S_Y}{\mathrm{\&Sigma;}}\underset{z\&Element;S_Z}{\mathrm{\&Sigma;}}p(x,y,z)\log \frac{p(x,y|z)}{p\left(x\right|z)p\left(y\right|z)}.$

Supplement encryption policy and select module concrete methods of realizing:

Encryption policy is selected module, according to actual miscellaneous service demand for security rank in financial instrument network, and quantum cryptography module quantum key generation state, in policy library, defining in advance encryption policy according to user, the priority of encryption policy can be divided into: 1. necessary quantum cryptography; 2. encrypt or conventional cryptography according to quantum key condition selecting quantum key; 3. need conventional cryptography; 4. do not need to encrypt;

Security strategy is formulated and is stored in by safety officer in policy library, in order to the various flows of having determined business classification are carried out to the configuration of different stage, is expressed as with 7 tuple forms:

P=<ID，BType，BLevel，EncyptPrior，QKDstatus，EncyptType，Forward>

Wherein ID is strategy numbering; BType is type of service, and BLevel is the grade of service, and EncyptPrior is for encrypting priority; The state of the current quantum key distribution system that QKDstatus provides for quantum cryptography module, EncyptType is encryption type, the object module that Forward forwards Business Stream according to encryption type difference, comprises quantum decryption module or conventional cryptography or network transparent transmission (not encrypting) module;

Can carry out policy development to the various core business in financial instrument network and conventional business by user, for example as <0001, 1, 1, working:2M:50k, QEN, QM> represents a quantum key encryption policy, sequence number is 1, type of service is 1 class (User Defined, for example 1 class represents that a certain financial instrument Network is as a certain class transaction business), 1 grade of (user's definition of business-level, represent the level of security that current business needs, not as 1 represents the highest level of security), the state of the current quantum key dispatching system obtaining by quantum encrypting module is: quantum key distribution system is working properly, the quantity of quantum key finalkey is greater than 2M, quantum key becomes code check to be greater than 50kbps, the communication of selected amount sub-key cipher mode, is forwarded to quantum cryptography module by these service traffics and processes,

Net mending network transparent transmission or conventional cryptography module concrete methods of realizing:

Network transparent transmission or traditional secrete key encrypting module, the instruction of selecting module to provide according to encryption policy, transmits by store-and-forward mode is transparent the network service traffic that does not need to be encrypted; Adopt the flow that the conventional cryptography algorithm based on algorithm security is encrypted to pass through traditional DES, AES, 3DES for needs, OTP, RSA, the cryptographic algorithm such as IPSEC are encrypted, (network transparent transmission or conventional cryptography mode are used respectively different LI(link interface)s and opposite end to communicate);

Quantum key encrypting module concrete methods of realizing:

Quantum key encrypting module is connected with quantum key distribution equipment with fiber optic quantum key distribution link by conventional link.Wide area network two ends quantum key distribution equipment is respectively Alice end and Bob end, can adopt BB84 agreement, holds the generation, screening, control of both sides' quantum key, the process such as synchronous to manage to Alice end and Bob.Alice end is connected with conventional link by amount of fibre sub-key link respectively with Bob end.In quantum key distribution agreement ideally, be required of accurate single-photon light source still before reality does not have desirable single-photon source, conventionally with attenuator to the laser approximate single photon that obtains of decaying, if but the photon number of the lasing light emitter after decay is still obeyed Poisson distribution, for preventing that photon number being cut apart to the situations such as attack occurs, can adopt based on inveigling the methods such as state quantum key distribution.Alice and Bob end have single-photon light source and single-photon detecting measurement equipment, adopt the method for the shared quantum key based on BB84 agreement, through processes such as quantum key generation, testing keys, key error correction, privacy amplifications, form final quantity sub-key.Quantum key encrypting module is selected module instruction according to encryption policy, throughput sublink and quantum key distribution equipment are held consultation, obtain current quantum key quantity and quantum key and become the parameters such as code check, pass to encryption policy and select module, to be encrypted strategic decision-making.According to current key demand of carrying out quantum cryptography business, judge negotiation, possess quantum key distribution condition, directly carry out quantum cryptography transmission; When the temporary transient deficiency of quantum key amount or formation speed are abnormal, can adopt service traffics buffer memory, realize quantum key synchronous crypto-operation by the method for controlling flow speed, or take cipher key store expansion technique to guarantee the smoothness transmission of quantum secret communication.

Quantum secret communication network access application gateway system integration figure of the present invention as shown in Figure 3, this quantum access application gateway is mainly used in the two ends of the general headquarters of financial instrument network and the wide area network optical fiber link of branch or outlet, support the most SDH that rent telecom operators that adopt of current financial instrument network, ATM, the fibre circuit of PTN, in figure, equipment 1 is the quantum secret communication network access application gateway of financial instrument network, equipment 2 is quantum key distribution equipment (QKD system), the quantum key distribution equipment at two ends is respectively Alice end and Bob end, can adopt BB84 agreement, to the generation of Alice end and Bob end both sides quantum key, screening, control, the process such as synchronous manages.The financial instrument quantum secret communication gateway of wide area network both link ends is connected with 1 quantum cryptography link by one or more conventional cryptography data circuits, for transmitting the encrypting traffic of different level of securitys, the quantum key distribution equipment throughput quantum key distribution link connection at two ends, carry out inveigling the quantum key of state to generate based on single photon, synchronously, detect, the work such as distribution, whole quantum key distribution equipment communicates by the quantum cryptography module of conventional data link and quantum QKD link and quantum IAD, consult the quantum cryptography of financial quantum network core business stream.

The present invention is by carrying out flow detection and the control technology DPI (based on deep packet inspection technical) based on application layer to financial instrument network traffics, realize differentiation and discriminating to financial instrument network core service traffics, different business flow is carried out to graded encryption, based on the level of security of business, encrypt or conventional cryptography mode according to encryption policy selected amount quantum key distribution, realize the quantum secret communication of financial instrument server service traffics, and taken into account the efficiency of transmission of banking network business.

The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.

Claims (5)

1. the quantum secret communication gateway system for financial instrument network, it is characterized in that, this quantum secret communication gateway system that is used for financial instrument network comprises: network access module, DPI analysis module, encryption policy are selected module, network transparent transmission or conventional cryptography module, quantum key encrypting module, policy library;

Network access module, has the function that extensibility network interface is selected, and according to the needs of real network wiring, plate carries multiple PCI-E interfaces, connects various wan side interfaces and local area network (LAN) end interface by conversion module;

DPI analysis module, be connected with network access module, for network data flow is carried out to the detection of depth data bag, by to Network Traffic Analysis, the fingerprint characteristic of various application and content thereof in recognition network flow, carry out business classification according to the data flow that enters DPI analysis module, core business and transaction business in the conventional service application using for office network and finance and stock network carry out distinguishing identifier, submit to encryption policy and select module;

Encryption policy is selected module, be connected with DPI analysis module, be used for according to the actual miscellaneous service demand for security of financial instrument network rank, and quantum cryptography module quantum key generates state, in policy library, define in advance encryption policy according to user, the priority of encryption policy be divided into: must quantum cryptography, according to the quantum key encryption of quantum key condition selecting or conventional cryptography, only need conventional cryptography, do not need to encrypt four grades;

Network transparent transmission or traditional secrete key encrypting module, select module to be connected with encryption policy, for the instruction of selecting module to provide according to encryption policy, the network service traffic that does not need to be encrypted transmitted by store-and-forward mode is transparent; Adopt the flow that the conventional cryptography algorithm based on algorithm security is encrypted to pass through DES for needs, AES, 3DES, OTP, RSA, IPSEC cryptographic algorithm is encrypted;

Quantum key encrypting module, select module to be connected with encryption policy, for selecting module instruction according to encryption policy, throughput sublink and quantum key distribution equipment are held consultation, obtain current quantum key quantity and quantum key and become code check, according to current key demand of carrying out quantum cryptography business, judge negotiation, possesses quantum key distribution condition, carry out quantum cryptography transmission, when key deficiency or formation speed are abnormal, adopt service traffics buffer memory or cipher key store expansion technique to guarantee the smoothness transmission of quantum secret communication;

Policy library, selects module to be connected with encryption policy, for defining encryption policy.

2. the quantum secret communication gateway system for financial instrument network as claimed in claim 1, it is characterized in that, wan side interface, comprises simulation, ISDNBRI, E1/T1/T1, GSM/WCDMA, the widely used SDH of access financial instrument network, ATM, PTN special circuit; Lan interfaces connects various lan interfaces by conversion module, comprises monomode fiber interface, multimode fiber interface and Ethernet RJ-45 interface, can be accessed by and is connected with the network equipment of router, fire compartment wall or switch in local area network (LAN).

3. the quantum secret communication gateway system for financial instrument network as claimed in claim 1, is characterized in that the concrete methods of realizing of DPI analysis module:

After DPI engine start, the application layer protocol type using according to different business in network, load information in protocol port and network packet, utilize feature extraction algorithm to extract flow data characteristics, feature extraction has comprised application protocol type, protocol port is mapped as the feature extraction of object, also the feature extraction that to comprise the concrete load of packet deep layer be object, with the feature extraction for network flow statistical nature, DPI engine excavates the normal stable unique feature string occurring in application protocol network packet by the degree of depth, feature string is for marked network characteristics of communication protocol code, mate with financial instrument core business feature database by global characteristics vector Hash mapping table, identify current network data flow and whether belong to the core business flow that needs to guarantee by quantum cryptography its tight security in financial instrument network, for the flow that has carried out business classification, effectively identify whether belonging to financial instrument network core business.

4. the quantum secret communication gateway system for financial instrument network as claimed in claim 3, it is characterized in that, after adopting mutual information in information theory normalization while judging traffic characteristic and the target service category feature degree of correlation, measure, the degree of correlation of traffic characteristic and target service class is expressed as R (f, class), computational methods as shown in the formula:

$R(f,\mathrm{class})=2\frac{I(f;\mathrm{class})}{H\left(f\right)+H\left(\mathrm{class}\right)},(0\&le;R(f,\mathrm{class})\&le;1)$

Wherein f and class represent respectively network flow characteristic and target service class, and H (f) and H (class) represent respectively the entropy of f and class, I (f; Class) be the mutual information of f and class;

Entropy is the probabilistic tolerance of stochastic variable, a discrete random variable X, and value space is SX, probability density function is p (x), x ∈ SX, the entropy of X is defined as:

$H\left(X\right)=-\underset{x\&Element;S_X}{\mathrm{\&Sigma;}}p\left(x\right)\log p\left(x\right)$

Two discrete random variable X and Y share the degree of information and measure with mutual information:

$I(X;Y)=\underset{x\&Element;S_X}{\mathrm{\&Sigma;}}\underset{y\&Element;S_Y}{\mathrm{\&Sigma;}}p(x,y)\log \frac{p(x,y)}{p\left(x\right)p\left(y\right)}$

Under the known condition of variable Z, variable X and Y share the degree of information and measure with conditional mutual information:

$I(X;Y|Z)=\underset{x\&Element;S_X}{\mathrm{\&Sigma;}}\underset{y\&Element;S_Y}{\mathrm{\&Sigma;}}\underset{z\&Element;S_Z}{\mathrm{\&Sigma;}}p(x,y,z)\log \frac{p(x,y|z)}{p\left(x\right|z)p\left(y\right|z)}.$

5. the quantum secret communication gateway system for financial instrument network as claimed in claim 1, it is characterized in that, supplementing encryption policy selects the security strategy of module to formulate and be stored in policy library by safety officer, in order to the various flows of having determined business classification are carried out to the configuration of different stage, be expressed as with 7 tuple forms:

P=<ID，BType，BLevel，EncyptPrior，QKDstatus，EncyptType，Forward>

Wherein ID is strategy numbering; BType is type of service, and BLevel is the grade of service, and EncyptPrior is for encrypting priority; The state of the current quantum key distribution system that QKDstatus provides for quantum cryptography module, EncyptType is encryption type, the object module that Forward forwards Business Stream according to encryption type difference, comprises quantum decryption module or conventional cryptography or network transparent transmission or encrypting module not;

Can carry out policy development to the various core business in financial instrument network and conventional business by user, for example as <0001, 1, 1, working:2M:50k, QEN, QM> represents a quantum key encryption policy, sequence number is 1, type of service is 1 class, User Defined, for example 1 class represents that a certain financial instrument Network is as a certain class transaction business, 1 grade of business-level, user's definition, represent the level of security that current business needs, not as 1 represents the highest level of security, the state of the current quantum key dispatching system obtaining by quantum encrypting module is: quantum key distribution system is working properly, the quantity of quantum key finalkey is greater than 2M, quantum key becomes code check to be greater than 50kbps, the communication of selected amount sub-key cipher mode, is forwarded to quantum cryptography module by these service traffics and processes.