CN104660602A

CN104660602A - Quantum key transmission control method and system

Info

Publication number: CN104660602A
Application number: CN201510079467.4A
Authority: CN
Inventors: 赵梅生; 李霞; 赵波; 周雷
Original assignee: SHANDONG INSTITUTE OF QUANTUM SCIENCE AND TECHNOLOGY Co Ltd; Anhui Quantum Communication Technology Co Ltd
Current assignee: SHANDONG INSTITUTE OF QUANTUM SCIENCE AND TECHNOLOGY Co Ltd; Anhui Quantum Communication Technology Co Ltd
Priority date: 2015-02-14
Filing date: 2015-02-14
Publication date: 2015-05-27
Anticipated expiration: 2035-02-14
Also published as: CN104660602B

Abstract

The invention discloses a quantum key transmission control method. The method comprises steps as follows: a sending-end service application terminal and a receiving-end service application terminal negotiate to acquire various parameters of quantum keys; the sending-end and receiving-end service application terminals send key requests to first and second quantum key management terminals respectively and acquire the quantum keys; the sending-end and receiving-end service application terminals use the quantum keys to perform encryption, decryption and the like on user services or data, so that safe communication services are provided. The invention further provides the corresponding quantum key management terminals, the corresponding service application terminals and a corresponding quantum key transmission control system. With the adoption of the method and the system, the high efficiency and the consistency of application and acquisition of the quantum keys by the service application terminals can be guaranteed, the universality is good, and the method and the system can be applied to communication processes of different service application terminals and quantum key management terminals.

Description

A kind of quantum key transfer control method and system

Technical field

The present invention relates to field of quantum security communication, in particular, provide a kind of quantum key transfer control method, system, quantum key office terminal and service application terminal.

Background technology

Along with the fast development of network technology, a large amount of sensitive information needs by Internet Transmission, and people need to protect sensitive information in order to avoid lose or attacked.Encryption is one of important means ensured information safety.For classical communication, current the most frequently used encryption technology changes raw information, as AES, 3DES, RSA, MD5, SHA-1 etc. with complicated mathematical algorithm.

Existing classical encryption system is based upon on computation complexity basis, and along with the progress of mathematics and the continuous lifting of computer speed, it exists the possibility be decrypted, not definitely reliable.In classical cryptographic system, for once one closely has Unconditional security, and it requires the random number key with encrypted data equal length.And how to produce a large amount of random number key be difficult problem always, so one-time pad does not obtain practical application.The appearance of quantum-key distribution (QKD) technology solves this difficult problem.

Quantum key distribution technology, based on " Heisenberg uncertainty principle " and " quantum can not replicating principle ", uses every bit single photon to transmit random number, can produce and share a large amount of random number key, be i.e. quantum key between transmitting terminal and receiving terminal.In principle, all will inevitably be found any eavesdropping of QKD process.For conventional optical quantum communication scheme, quantum information is carried by the quantum state of single photon; And single photon is the minimum unit of light energy change, is alternatively the most elementary cell of composition light, can not have divided again, listener-in does not eavesdrop information by segmentation photon; " quantum can not replicating principle " determines unknown single photon state and can not be accurately reproduced over time, and therefore listener-in can not eavesdrop information by intercepting and capturing and copying photon states; " Heisenberg uncertainty principle " then determines and will inevitably produce disturbance to its state to the measurement of unknown single photon state, and correspondent just can utilize this point to find eavesdropping.Therefore, the key that QKD process produces has theoretic absolute safety.

QKD technology makes one-time pad be able to real realization.Use amount sub-key, to the cipher mode of communication service or data acquisition one-time pad, can ensure that coded communication has Unconditional security.Even if do not adopt one-time pad, replace the seed key in classical encryption system by use amount sub-key, and improve key updating frequency, also greatly can strengthen the fail safe of coded communication.

Usually; the quantum key that QKD system generates is injected in quantum key office terminal by local connection; service application terminal needs to possess to the request of quantum key office terminal and the function of quantities received sub-key, so that use amount sub-key carries out the secure communications such as authentication, session key agreement protection, the encryption and decryption of data message and integrity protection.Therefore, need for service application terminal is with quantum key office terminal design interface communication protocol, to ensure carrying out smoothly of service application terminal to apply and amount to obtain sub-key, can control effectively to the transmitting procedure of quantum key, and the consistency of the quantum key that communicating pair obtains from quantum key office terminal can be ensured.Meanwhile, this interface communications protocol should have good versatility, can be applicable to the communication process between different service application terminals and quantum key office terminal.

Summary of the invention

For the defect that above-mentioned prior art exists, the present invention proposes a kind of quantum key transfer control method and system, for the communication process between service application terminal and quantum key office terminal, the high efficiency of service application terminal to apply and amount to obtain sub-key can be ensured, ensure the consistency of communicating pair institute amount to obtain sub-key.The method has good versatility, can apply to the communication process between different service application terminals and quantum key office terminal.

One aspect of the present invention provides a kind of quantum key transfer control method, comprises the steps:

Step 1, transmitting terminal service application terminal and receiving terminal service application terminal consult the various parameters of amount to obtain sub-key, and this parameter comprises: the key word joint number starting ID, object ID, key occupation mode, request; Wherein, the acquisition mark that ID and object ID is quantum key is started, for identifying the quantum key shared between the first quantum key office terminal corresponding to transmitting terminal service application terminal and the second quantum key office terminal corresponding to receiving terminal service application terminal;

Step 2, transmitting terminal and receiving terminal service application terminal send key request and amount to obtain sub-key respectively to the first and second quantum key office terminals;

Step 3, transmitting terminal and receiving terminal service application terminal use amount sub-key carry out encryption and decryption etc. to customer service or data, thus provide secure communication service.

Further, described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

Preferably, transmitting terminal service application terminal and receiving terminal service application terminal carry out parameter negotiation in the mode of challenge-response, the key word joint number of beginning ID, application mark, key occupation mode, request is sent to receiving terminal service application terminal by transmitting terminal service application terminal, the key word joint number of beginning ID, object ID, application mark, key occupation mode, request is replied to transmitting terminal service application terminal by receiving terminal service application terminal, and both sides complete primary parameter negotiations process.

Preferably, before step 1, transmitting terminal and receiving terminal service application terminal send authentication request respectively to the first and second quantum key office terminals, carry out handshake authentication with providing the quantum key office terminal of service to it.

Further, transmitting terminal and receiving terminal service application terminal send authentication request frames respectively to the first and second quantum key office terminals, authentication response frames is replied respectively to transmitting terminal and receiving terminal service application terminal in first and second quantum key office terminals, if authentication success, transmitting terminal and receiving terminal service application terminal set up corresponding relation with the first and second quantum key office terminals respectively.

Further, before handshake authentication, also comprise the initialization of transmitting terminal and receiving terminal service application terminal, the first and second quantum key office terminals, this initialization comprises: first, initial configuration is carried out to the device parameter of transmitting terminal and receiving terminal service application terminal, comprises key request amount, device id, IP address, secure communication strategy; The second, to transmitting terminal and receiving terminal service application terminal, the physical connection respectively and between the first and second quantum key office terminals confirms.

Preferably, according to the determined each parameter of step 1, transmitting terminal service application terminal sends application key data claim frame to the first quantum key office terminal, application key data response frame is replied to transmitting terminal service application terminal in first quantum key office terminal, if satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

Further, the information whether key is sufficient is sent to receiving terminal service application terminal by transmitting terminal service application terminal, if key is sufficient, then the key word joint number that once reads is determined in both sides' negotiation; If key is not enough, then both sides continue the relevant parameter consulting amount to obtain sub-key.

Further, in step 2, transmitting terminal and receiving terminal service application terminal send key request frame respectively to the first and second quantum key office terminals, this key request frame comprises the parameter configuration determined in step 1, and key response frame is replied according to the described parameter configuration determined in the first and second quantum key office terminals.

Preferably, the quantum key that obtains stored in buffer area, and is carried out consistency desired result to the quantum key obtained by transmitting terminal and receiving terminal service application terminal, and both sides retain the quantum key by consistency desired result.

Second aspect present invention provides a kind of quantum key transmission control system, comprise at least two service application terminals of transmitting terminal service application terminal and receiving terminal service application terminal, and at least two the quantum key office terminals comprising the first and second quantum key office terminals of correspondence, it is characterized in that:

Transmitting terminal service application terminal, for consulting the various parameters of amount to obtain sub-key with receiving terminal service application terminal, and sending key request and amount to obtain sub-key according to consultation parameter to the first quantum key office terminal, described parameter comprises: the key word joint number starting ID, object ID, key occupation mode, request; Wherein, the acquisition mark that ID and object ID is quantum key is started, for identifying the quantum key shared between the first quantum key office terminal corresponding to transmitting terminal service application terminal and the second quantum key office terminal corresponding to receiving terminal service application terminal;

Receiving terminal service application terminal, for carrying out above-mentioned parameter negotiation with transmitting terminal service application terminal, and sends key request and amount to obtain sub-key according to consultation parameter to the second quantum key office terminal;

First and second quantum key office terminals, for responding corresponding transmitting terminal service application terminal and the key request of receiving terminal service application terminal respectively, and provide quantum key to corresponding service application terminal;

Transmitting terminal and receiving terminal service application terminal use amount sub-key carry out encryption and decryption etc., to provide secure communication service to customer service or data.

Preferably, before parameter negotiation, transmitting terminal and receiving terminal service application terminal send authentication request respectively to the first and second quantum key office terminals, carry out handshake authentication with providing the quantum key office terminal of service to it.

Preferably, according to the determined each parameter of negotiation, transmitting terminal service application terminal sends application key data claim frame to the first quantum key office terminal, application key data response frame is replied to transmitting terminal service application terminal in first quantum key office terminal, if satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

Further, transmitting terminal and receiving terminal service application terminal send key request frame respectively to the first and second quantum key office terminals, this key request frame comprises each parameter that described negotiation is determined, each parameter that the first and second quantum key office terminals are determined according to described negotiation replys key response frame.

Third aspect present invention provides a kind of quantum key office terminal, for in above-mentioned quantum key transmission control system for the secure communication comprised between transmitting terminal and multiple service application terminals of receiving terminal service application terminal provides quantum key, this quantum key office terminal comprises:

Memory module, stores for the quantum key sent quantum key distribution (QKD) system, according to the key demand of the service application terminal of correspondence, the quantum key of respective numbers is sent to the first quantum key interactive module;

First quantum key interactive module, for receiving the key request that corresponding service application terminal sends, amount to obtain sub-key from memory module, thus the quantum key realized to service application terminal exports.

Preferably, this quantum key office terminal also comprises the first initialization module, for carrying out the initial work of physical connection confirmation to quantum key office terminal.

Further, this quantum key office terminal also comprises the first authentication module, for receiving the authentication request frames that corresponding service application terminal sends, and sending authentication response frames, realizing the handshake authentication between service application terminal.

Preferably, described first quantum key interactive module receives the application key data claim frame that corresponding service application terminal sends, and according to the information in application key data claim frame, judge whether there is satisfactory key in memory module, and reply application key data response frame to corresponding service application terminal, if satisfactory quantum key amount is not less than key request amount, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

Fourth aspect present invention provides a kind of service application terminal, and securely communicate for use amount sub-key in above-mentioned quantum key transmission control system and between at least one other service application terminal, this service application terminal comprises:

Key negotiation module, for carrying out related parameter negotiation during amount to obtain sub-key between at least one other service application terminal, this parameter comprises: the key word joint number starting ID, object ID, key occupation mode, request; Wherein, the acquisition mark that ID and object ID is quantum key is started, for identifying the quantum key shared between quantum key office terminal corresponding to this service application terminal and quantum key office terminal corresponding to other service application terminals described;

Second quantum key interactive module, for according to described consultation parameter to the quantum key office terminal request of correspondence and amount to obtain sub-key;

Quantum key application module, use amount sub-key is that customer service between at least one other service application terminal or data carry out encryption and decryption etc., to realize secure communication.

Preferably, this service application terminal also comprises the second initialization module, for carrying out the initial work of parameter configuration and physical connection confirmation to service application terminal.

Further, this service application terminal also comprises the second authentication module, for the configuration according to initialization module, quantum key office terminal to correspondence sends authentication request frames, and the authentication response frames that quantities received sub-key office terminal sends, realize and the handshake authentication between corresponding quantum key office terminal.

Preferably, this service application terminal also comprises cache module, for the quantum key that buffer memory second quantum key interactive module obtains, and quantum key is sent to key negotiation module, according to the completeness check result that key negotiation module sends, retain the quantum key by completeness check, delete not by the quantum key of completeness check; Dyad sub-key application module provides the quantum key by completeness check.

The quantum key transfer control method that the present invention relates to, can ensure service application terminal quickly and efficiently from the quantum key needed for the acquisition of quantum key office terminal, thus for carrying out encryption and decryption etc. to customer service or data; Further, because use amount sub-key securely communicates, greatly improve the renewal frequency of key, be convenient to realize one-time pad.

The present invention is before service application terminal amount to obtain sub-key, and whether the key first known in quantum key office terminal by key application is sufficient, then determines to ensure that how amount to obtain sub-key the reliability that key obtains, improve the success rate that key obtains; Cipher key transmitting process and concrete business have nothing to do, communication frame format has good versatility and autgmentability, be applicable to data flow communication and message communicating, be applicable to the communication process between different service application terminals and quantum key office terminal, be applicable to different application scenarioss.

In parameter-negotiation procedure of the present invention, through consultation quantum devices ID can ensure communicating pair service application terminal between the consistency of amount to obtain sub-key, achieve the Obtaining Accurate of quantum key; Meanwhile, apply for mark through consultation, be the application mark that each key application course allocation is unique, achieve the efficient parallel process of multiple key application process; Further, the key word joint number of asking through consultation, the continuation of the acquisition of quantum key and the safe and secret transmission of the height of communication data between both sides can be ensured.

Accompanying drawing explanation

Fig. 1 is the quantum key transmission control net system structured flowchart that the embodiment of the present invention provides;

Fig. 2 is the flow chart of the quantum key transfer control method that the embodiment of the present invention provides;

Fig. 3 is the service application terminal initialization schematic flow sheet that the embodiment of the present invention provides;

Fig. 4 is that the schematic diagram that physical connection confirms process is carried out in the service application terminal that provides of the embodiment of the present invention and quantum key office terminal;

Fig. 5 is the schematic diagram of the authentication request frames frame structure that the embodiment of the present invention provides;

Fig. 6 is the schematic diagram of the authentication response frames frame structure that the embodiment of the present invention provides;

Fig. 7 is the schematic diagram of the application key data claim frame frame structure that the embodiment of the present invention provides;

Fig. 8 is the schematic diagram of the application key data response frame frame structure that the embodiment of the present invention provides;

Fig. 9 is the schematic diagram of the key request frame frame structure that the embodiment of the present invention provides;

Figure 10 is the schematic diagram of the key response frame frame structure that the embodiment of the present invention provides;

Figure 11 is the flow chart of the quantum key transfer control method that the embodiment of the present invention provides;

Figure 12 is the quantum key transmission control system structured flowchart that the embodiment of the present invention provides;

Figure 12 a, 12b are the schematic diagrames of the quantum key office terminal that the embodiment of the present invention provides;

Figure 13 a, 13b are the schematic diagrames of the service application terminal that the embodiment of the present invention provides.

Embodiment

In order to make the object of embodiments of the invention, technical scheme and a little clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on embodiments of the invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

Fig. 1 exemplarily gives network configuration involved in the present invention, namely the network system that the user network comprising service application terminal by multiple (being three in figure) forms, between multiple user network, throughput sub-network is connected with classic network.。Each user network comprises a service application terminal, a quantum key office terminal and quantum-key distribution (QKD) system, throughput sub-network growing amount sub-key between QKD system.Concrete, in FIG, there are three user networks, user network 1 comprises a service application terminal-1, quantum key office terminal-1 and a QKD system-1, user network 2 comprises a service application terminal-2, quantum key office terminal-2 and a QKD system-2, and user network 3 comprises a service application terminal-3, quantum key office terminal-3 and a QKD system-3.QKD system-1, throughput sub-network growing amount sub-key between QKD system-2 and QKD system-3.

At present, large-scale quantum network can be built based on quantum key distribution technology, the distribution of quantum key between multiple quantum key transceiver terminal (i.e. QKD system) can be realized as by quantum concentrator station, optical switch and quantum communications server, in the present invention, above-mentioned quantum network growing amount sub-key can be passed through, can adopt other forms of quantum network growing amount sub-key, to this, the present invention does not do any restriction yet.

The quantum key that QKD system generates is injected in quantum key office terminal by local connection, quantum key office terminal effectively manages quantum key, now, described quantum key office terminal and described QKD system are independent of each other, it should be noted that, described quantum key office terminal also can be integrated in described QKD system, and to this, the present invention does not do any restriction.

Service application terminal is to coupled quantum key office terminal request and quantities received sub-key, and this quantum key can be used for authentication between service application terminal, session key agreement protection, the encryption and decryption of data message and integrity protection etc.Be connected by classic network between service application terminal in different user network.

Below embodiment by main to comprise two service application terminals (i.e. transmitting terminal and receiving terminal service application terminal), and be that example is described respectively to the quantum key transmission control system of two quantum key office terminals (i.e. the first and second quantum key office terminals) of transmitting terminal and receiving terminal service application Terminal for service, but those skilled in the art should understand, this is not limitation of the present invention, and this system can comprise multiple service application terminal and multiple quantum key office terminal.

In addition, the communication process between QKD system, between QKD system and quantum key office terminal independent of the communication process between quantum key office terminal and service application terminal, and is not the emphasis place of this patent.

Embodiment one

See Fig. 2, the embodiment of the present invention provides a kind of quantum key transfer control method, wherein can provide secure communication service for customer service or data by use amount sub-key between transmitting terminal and receiving terminal service application terminal, transmitting terminal service application terminal is connected with the first quantum key office terminal, receiving terminal service application terminal is connected with the second quantum key office terminal, and the method comprises the steps:

Preferably, described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

To the said method step of the present embodiment be specifically described below:

Step 1, transmitting terminal service application terminal and receiving terminal service application terminal consult the various parameters of amount to obtain sub-key, and this parameter comprises: the key word joint number starting ID, object ID, key occupation mode, request; Wherein, the acquisition mark that ID and object ID is quantum key is started, for identifying the quantum key shared between the first quantum key office terminal corresponding to transmitting terminal service application terminal and the second quantum key office terminal corresponding to receiving terminal service application terminal; Preferably, described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

Transmitting terminal service application terminal and receiving terminal service application terminal consult to determine that starting ID (establishes the device id of the quantum key office terminal of corresponding relation with transmitting terminal service application terminal, be generally the quantum devices ID of initial configuration), object ID (establishes the device id of the quantum key office terminal of corresponding relation with receiving terminal service application terminal, be generally the quantum devices ID of initial configuration), application mark (or claim application serial, corresponding with a key application process, each key application process has unique application mark), key occupation mode (encryption or deciphering), the key word joint number of request is (according to the key request amount of initial configuration, the key information etc. of quantum key office terminal response is determined).

The similar challenge-response formula process of parameter negotiation of two service application terminal rooms, such as, transmitting terminal service application terminal will start ID (be generally transmitting terminal service application terminal initial configuration quantum devices ID, as: 00000005), application mark (such as: 123), key occupation mode (as: encryption), ask key word joint number (such as: the key request amount of initial configuration is 1K) be sent to receiving terminal service application terminal; Receiving terminal service application terminal will start ID (00000005), object ID and (be generally the quantum devices ID of receiving terminal service application terminal initial configuration, as: 00000006), application mark (123), key occupation mode (encryption), ask key word joint number (1K) reply to transmitting terminal service application terminal, then both sides complete primary parameter negotiations process.

It should be noted that, service application terminal is that each key application process arranges an application mark, a similar application serial, each key application process has unique application mark, when there is multiple key application process, multiple key application process can parallel processing, efficiently amount to obtain sub-key; Transmitting terminal service application terminal and receiving terminal service application terminal use same application mark, should obtain identical key data.

Due in quantum key office terminal, usually the quantum key shared between two quantum key office terminals is identified with quantum devices ID, therefore service application terminal room corresponding quantum devices ID (namely starting ID and object ID) through consultation, can ensure the consistency of the quantum key needed for obtaining to corresponding quantum key office terminal.

Usually, the safe transmission of service application or data corresponds to encryption and decryption two processes, and service application terminal room is key occupation mode through consultation, can ensure that obtained quantum key is for encryption or deciphering.

Affect by quantum key formation speed, the quantum key in quantum key office terminal can not satisfy the demands, and the size of key that service application terminal is asked should be able to make corresponding adjustment according to the key information of quantum key office terminal response; Therefore the service application terminal room key word joint number of asking through consultation, can ensure the continuation of the acquisition of quantum key and the safe and secret transmission of the height of communication data between both sides.

In sum, by the negotiation of transmitting terminal and receiving terminal service application terminal, determine identification information, the identification information of application, the key number of keys for encrypt or decipher and ask of quantum key of both sides for obtaining.Such negotiation ensure that carrying out smoothly of service application terminal to apply and amount to obtain sub-key, can control effectively to the transmitting procedure of quantum key, and consistency and the continuation of the quantum key that communicating pair obtains from quantum key office terminal can be ensured, the communication between dissimilar service application terminal and quantum key office terminal can also be used for simultaneously, there is good versatility.

Preferably, before transmitting terminal and receiving terminal service application terminal carry out parameter negotiation, transmitting terminal and receiving terminal service application terminal send authentication request frames respectively to the first and second quantum key office terminals, carry out handshake authentication with providing the quantum key office terminal of service to it.Authentication response frames is replied to transmitting terminal service application terminal in first quantum key office terminal, if authentication success, corresponding relation is set up in transmitting terminal service application terminal and the first quantum key office terminal.Similarly, authentication response frames is replied to receiving terminal service application terminal in the second quantum key office terminal, if authentication success, corresponding relation is set up in receiving terminal service application terminal and the second quantum key office terminal.

As shown in Figure 5, Figure 6, authentication request/response frame comprises frame head, loaded length, publicly-owned information and private information to the frame structure of authentication request frames and authentication response frames, and functions is described below:

(1) next load: 1 byte, this part forms frame head together with reserve bytes, the type of next load after identifying this load, if current load is last, then this field will be set to 0;

(2) retain: 1 byte, value is 0;

(3) loaded length: 2 bytes, indicates the whole loaded length comprising payload header in units of byte;

(4) type of message: being mainly used in identifying this message is encrypting messages or not encrypting messages;

(5) command word: concrete command word, what the object of identification message is, has good autgmentability;

(6) message sending end facility information: (as: 01 represents the application of VPN type to comprise application type, 02 represents the application of key management type, 03 represents the application of encryption type), (as: 01 represents IPSec vpn gateway to device type, 02 represents quantum key office terminal, 03 represents 3 infill layer machines), (as: 01 represents certain VPN device company to producer's mark, 02 represents certain quantum devices company, 03 represents certain encryption equipment equipment company), (as: device id of vpn gateway is 00000001 to device id, quantum devices ID is 00000002, the device id of 3 infill layer machines is 00000003),

Wherein type of message, command word and message sending end facility information together constitute publicly-owned information;

(7) private information: in authentication request frames, refers to authentication information; In authentication response frames, whether successful for ID authentication.

It should be noted that, in quantum key office terminal or have in the QKD system of quantum key management function, usually identify the quantum key shared between two quantum key office terminals or two QKD systems with quantum devices ID.Such as, the quantum key shared between the first and second quantum key office terminals, be identify with the device id of the second quantum key office terminal in the first quantum key office terminal, and be identify with the device id of the first quantum key office terminal in the second quantum key office terminal.Due to the unique identification that device id is equipment, therefore service application terminal and quantum devices can be made after authentication success of shaking hands to set up corresponding relation by device id, and ensure the consistency of the quantum key that transmitting terminal and receiving terminal service application SS later obtain.

Preferably, before handshake authentication, also comprise the initialization of transmitting terminal and receiving terminal service application terminal, the first and second quantum key office terminals.The initialization of service application terminal and quantum key office terminal mainly comprises two steps, namely the device parameter of service application terminal is carried out initial configuration, confirmed the physical connection between service application terminal and quantum key office terminal, as shown in Figure 3.

A. guarantee that transmitting terminal service application terminal, the first quantum key office terminal physical connection are separately normal, parameter configuration is carried out to transmitting terminal service application terminal, comprise the parameters such as key request amount, device id (comprise the device id of service application terminal, and provide the device id of the quantum key office terminal of service to it or weigh subset ID), IP address, secure communication strategy (such as authentication algorithm, enciphering and deciphering algorithm etc.); Second quantum key office terminal and receiving terminal service application terminal also carry out similar initialization procedure, repeat no more here.

B. physical connection confirmation is carried out in transmitting terminal service application terminal and the first quantum key office terminal, as shown in Figure 4.Hello message is sent to the first quantum key office terminal by transmitting terminal service application terminal, if receive the ACK message that the first quantum key office terminal is replied, then both sides' physical connection is normal, now transmitting terminal service application terminal and the first quantum key office terminal have completed physical connection and have confirmed, but do not carry out handshake authentication.Receiving terminal service application terminal and the second quantum key office terminal also complete similar operation.

Preferably, according to the determined each parameter of step 1, transmitting terminal service application terminal sends application key data claim frame to the first quantum key office terminal, and application key data response frame is replied to transmitting terminal service application terminal in the first quantum key office terminal; If satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

Transmitting terminal service application terminal sends application key data claim frame (as shown in Figure 7) to the first quantum key office terminal.First quantum key office terminal, according to the information in application key data claim frame, has judged whether satisfactory key, and replys application key data response frame to transmitting terminal service application terminal, as shown in Figure 8.If satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, namely satisfactory quantum key enough uses, then in the application key data response frame replying to transmitting terminal service application terminal, mark the enough marks of key (flag=1); If satisfactory quantum key amount is less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the mark (flag=0) of key deficiency.

As shown in Figure 7 and Figure 8, apply for the function class of the frame head of key data request/response frames, loaded length, the functions of publicly-owned information and the appropriate section of authentication request/response frame seemingly, each several part content in private information is as follows:

(1) start ID, object ID: under normal circumstances, refer to the quantum devices ID for transmitting terminal and the configuration of receiving terminal service application terminal initial respectively; In quantum key office terminal or have in the QKD system of quantum key management function, usually identify the quantum key shared between two quantum key office terminals or two QKD systems with quantum devices ID;

(2) application mark: or claim application serial, corresponding with a key application process, each key application process has unique application mark;

(3) key occupation mode: be " encryption key " or " decruption key " for tagged keys;

(4) the key word joint number of asking: determine according to the key request amount of initial configuration, the key information etc. of quantum key office terminal response;

(5) response: whether sufficient for identifying satisfactory quantum key in quantum key office terminal, if key is sufficient, is then set to 1; If key is not enough, be then set to 0.

Preferably, the information whether key is sufficient is sent to receiving terminal service application terminal by transmitting terminal service application terminal, if key is sufficient, then the key word joint number (being not more than the key word joint number of request) that once reads is determined in both sides' negotiation; If key is not enough, then both sides continue the relevant parameter consulting amount to obtain sub-key.

Step 2, transmitting terminal and receiving terminal service application terminal send key request and amount to obtain sub-key respectively to the first and second quantum key office terminals.

In this step, transmitting terminal service application terminal sends key request frame (as shown in Figure 9) to the first quantum key office terminal; Receiving terminal service application terminal also sends key request frame to the second quantum key office terminal simultaneously.Transmitting terminal service application terminal key response frame (as shown in Figure 10), according to the key word joint number starting ID, object ID, once read, using the shared quantum key of respective numbers as key data, and is replied in first quantum key office terminal; Similar process is also carried out in second quantum key office terminal, and replys receiving terminal service application terminal key response frame.

As shown in Figure 9 and Figure 10, the private information of key request/response frame comprises beginning ID, object ID, application mark, key occupation mode, the key word joint number once read, frame number, key data frame number, key data, wherein:

Frame number: as the mutual mark between service application terminal and quantum key office terminal;

Key data frame number: because a frame length is limited to the length of an IP bag, needs to be divided into multiple frame for the acquisition being greater than 1KB key data and sends;

Key data: the quantum key of the actual output in quantum key office terminal.

Transmitting terminal service application terminal by obtain quantum key stored in buffer area, and calculate the data integrity value (as MD5, SM3 etc.) of institute's amount to obtain sub-key, by this check value together with applying for mark accordingly, key data frame number is sent to receiving terminal service application terminal by classic network; Receiving terminal service application terminal by obtain quantum key stored in buffer area, and calculate the data integrity value (identical with the computational methods of transmitting terminal service application terminal) of institute's amount to obtain sub-key, the corresponding check value that this check value and transmitting terminal service application terminal send is compared; If check value is consistent, then by result consistent for check value together with applying for mark, key data frame number notice transmitting terminal service application terminal accordingly, both sides retain the corresponding quantum key obtained; If check value is inconsistent, then by result inconsistent for check value together with applying for mark, key data frame number notice transmitting terminal service application terminal accordingly, both sides abandon obtained corresponding quantum key.

Step 3, transmitting terminal and receiving terminal service application terminal use amount sub-key carry out encryption and decryption etc., to provide secure communication service to customer service or data.

See Figure 11, it is the detail flowchart comprising the quantum key transfer control method of optimal way that the present embodiment provides.

Quantum key transfer control method provided by the invention, communication between service application terminal and quantum key office terminal mainly comprises handshake authentication, key application and key and obtains three processes, can ensure the high efficiency of service application terminal to apply and amount to obtain sub-key.Wherein, before service application terminal amount to obtain sub-key, whether the key first known in quantum key office terminal by key application is sufficient, then determines to ensure that how amount to obtain sub-key the reliability that key obtains, improve the success rate that key obtains; Adopt in communication frame and start ID, object ID, field such as application mark etc., and data integrity verifying is carried out to obtained quantum key, the consistency of the key data that effective guarantee communicating pair obtains; Cipher key transmitting process and concrete business have nothing to do, communication frame format has good versatility and autgmentability, be applicable to data flow communication and message communicating, be applicable to the communication process between different service application terminals and quantum key office terminal, be applicable to different application scenarioss.

Embodiment two

See Figure 12, the embodiment of the present invention provides a kind of quantum key transmission control system, comprises transmitting terminal service application terminal and receiving terminal service application terminal, and the first quantum key office terminal and the second quantum key office terminal, is characterized in that:

The quantum key transmission control system structured flowchart of one embodiment of the invention as shown in figure 12, wherein:

Transmitting terminal and receiving terminal service application terminal represent in classic network can provide two entities of secure communication service for customer service or data by use amount sub-key;

User 1 and user 2 realize secure communication respectively by transmitting terminal service application terminal and receiving terminal service application terminal, and in classic network, transmitting terminal service application terminal and receiving terminal service application terminal are respectively IP1, IP2 at the external IP of public network; One skilled in the art will appreciate that this quantum key transmission control system can comprise multiple user, multiple service application terminal and multiple quantum key office terminal, as shown in Figure 1;

QKD-1 and QKD-2 is quantum key distribution (QKD) system, be connected with the first quantum key office terminal, the second quantum key office terminal respectively, between two QKD systems, throughput sub-network carries out quantum key distribution, and generated quantum key is sent to corresponding quantum key office terminal;

The quantum key that QKD system sends is carried out storage administration by quantum key office terminal, and using quantum devices ID as mark, so that service application terminal can obtain corresponding quantum key according to quantum devices ID; Preferably, be ensure fail safe, quantum key normally carries out storing in an encrypted form, needs first to decipher before externally exporting.

Specifically, transmitting terminal service application terminal and receiving terminal service application terminal consult to determine that starting ID (establishes the device id of the quantum key office terminal of corresponding relation with transmitting terminal service application terminal, be generally the quantum devices ID of initial configuration), object ID (establishes the device id of the quantum key office terminal of corresponding relation with receiving terminal service application terminal, be generally the quantum devices ID of initial configuration), application mark (or claim application serial, corresponding with a key application process, each key application process has unique application mark), key occupation mode (encryption or deciphering), the key word joint number of request is (according to the key request amount of initial configuration, the key information etc. of quantum key office terminal response is determined).

Service application terminal is that each key application process arranges an application mark, a similar application serial, and each key application process has unique application mark; Transmitting terminal service application terminal and receiving terminal service application terminal use same application mark, should obtain identical key data.The similar challenge-response formula process of parameter negotiation of two service application terminal rooms, such as, transmitting terminal service application terminal will start ID (be generally transmitting terminal service application terminal initial configuration quantum devices ID, as: 00000005), application mark (such as: 123), key occupation mode (as: encryption), ask key word joint number (such as: the key request amount of initial configuration is 1K) be sent to receiving terminal service application terminal; Receiving terminal service application terminal will start ID (00000005), object ID and (be generally the quantum devices ID of receiving terminal service application terminal initial configuration, as: 00000006), application mark (123), key occupation mode (encryption), ask key word joint number (1K) reply to transmitting terminal service application terminal, then both sides complete primary parameter negotiations process.

By the negotiation of transmitting terminal and receiving terminal service application terminal, determine identification information, the identification information of application, the key number of keys for encrypt or decipher and ask of quantum key of both sides for obtaining.Such negotiation ensure that carrying out smoothly of service application terminal to apply and amount to obtain sub-key, can control effectively to the transmitting procedure of quantum key, and consistency and the continuation of the quantum key that communicating pair obtains from quantum key office terminal can be ensured, the communication between dissimilar service application terminal and quantum key office terminal can also be used for simultaneously, there is good versatility.

Preferably, before transmitting terminal and receiving terminal service application terminal carry out parameter negotiation, transmitting terminal and receiving terminal service application terminal send authentication request frames respectively to the first and second quantum key office terminals, carry out handshake authentication with providing the quantum key office terminal of service to it.

Authentication response frames is replied to transmitting terminal service application terminal in first quantum key office terminal, if authentication success, corresponding relation is set up in transmitting terminal service application terminal and the first quantum key office terminal.Similarly, authentication response frames is replied to receiving terminal service application terminal in the second quantum key office terminal, if authentication success, corresponding relation is set up in receiving terminal service application terminal and the second quantum key office terminal.

The frame structure of authentication request frames and authentication response frames as shown in Figure 5, Figure 6, see the description in embodiment one.

Preferably, before handshake authentication, initialization is carried out in transmitting terminal and receiving terminal service application terminal, the first and second quantum key office terminals.The initialization of service application terminal and quantum key office terminal mainly comprises two steps, namely the device parameter of service application terminal is carried out initial configuration, confirmed the physical connection between service application terminal and quantum key office terminal, as shown in Figure 3.

Preferably, according to the determined each parameter of negotiation, transmitting terminal service application terminal sends application key data claim frame to the first quantum key office terminal, and application key data response frame is replied to transmitting terminal service application terminal in the first quantum key office terminal; If satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

Apply for key data claim frame and apply for the frame structure of key data response frame as shown in Figure 7, Figure 8, see the description in embodiment one.

Transmitting terminal and receiving terminal service application terminal send key request and amount to obtain sub-key respectively to the first and second quantum key office terminals.Preferably, transmitting terminal service application terminal sends key request frame (as shown in Figure 9) to the first quantum key office terminal; Receiving terminal service application terminal also sends key request frame to the second quantum key office terminal simultaneously.Transmitting terminal service application terminal key response frame (as shown in Figure 10), according to the key word joint number starting ID, object ID, once read, using the shared quantum key of respective numbers as key data, and is replied in first quantum key office terminal; Similar process is also carried out in second quantum key office terminal, and replys receiving terminal service application terminal key response frame.

The frame structure of key request frame and key response frame as shown in Figure 9, Figure 10, see the description in embodiment one.

Further, transmitting terminal service application terminal by obtain quantum key stored in buffer area, and calculate the data integrity value (as MD5, SM3 etc.) of institute's amount to obtain sub-key, by this check value together with applying for mark accordingly, key data frame number is sent to receiving terminal service application terminal by classic network; Receiving terminal service application terminal by obtain quantum key stored in buffer area, and calculate the data integrity value (identical with the computational methods of transmitting terminal service application terminal) of institute's amount to obtain sub-key, the corresponding check value that this check value and transmitting terminal service application terminal send is compared; If check value is consistent, then by result consistent for check value together with applying for mark, key data frame number notice transmitting terminal service application terminal accordingly, both sides retain the corresponding quantum key obtained; If check value is inconsistent, then by result inconsistent for check value together with applying for mark, key data frame number notice transmitting terminal service application terminal accordingly, both sides abandon obtained corresponding quantum key.

Embodiment three

See Figure 12 a, the embodiment of the present invention provides a kind of quantum key office terminal, and in the quantum key transmission control system described by embodiment two, for the secure communication between multiple service application terminal provides quantum key, this quantum key office terminal comprises:

In quantum key transmission control system, that comprise transmitting terminal with two service application terminals that are receiving terminal, and two corresponding with transmitting terminal and receiving terminal respectively quantum key office terminals.Described service application terminal both can as the service application terminal of transmitting terminal, also can as the service application terminal of receiving terminal.

Preferably, quantum key office terminal as shown in Figure 12b, also comprises following functional module:

First initialization module, for carrying out the initial work such as physical connection confirmation to quantum key office terminal.

First initialization module guarantees that the physical connection of quantum key office terminal is normal, and confirms the physical connection between quantum key office terminal and corresponding service application terminal, as shown in Figure 4.Hello message is sent to the first initialization module of quantum key office terminal by corresponding service application terminal, if the ACK message that the first initialization module that corresponding service application terminal receives quantum key office terminal is replied, then both sides' physical connection is normal, now quantum key office terminal and corresponding service application terminal have completed physical connection and have confirmed, but do not carry out handshake authentication.

Further, quantum key office terminal also comprises:

First authentication module, for receiving the authentication request frames that corresponding service application terminal sends, and sending authentication response frames, realizing the handshake authentication between service application terminal.

In addition, quantum key office terminal also comprises the first control module, and the built-in function for quantum key office terminal controls.

Preferably, the first authentication module of quantum key office terminal receives the authentication request frames sent from corresponding service application terminal, to carry out handshake authentication, sets up the corresponding relation between quantum key office terminal and corresponding service application terminal.First authentication module of quantum key office terminal replys authentication response frames to corresponding service application terminal, if authentication success, quantum key office terminal and corresponding service application terminal set up corresponding relation.The frame structure of authentication request frames and authentication response frames as shown in Figure 5, Figure 6, see the description in embodiment one.

And, by the function i ntegration of QKD system in quantum key office terminal, quantum key distribution and quantum key management correlation function can be realized in a terminal, do not repeat them here.

Further, first quantum key interactive module receives the application key data claim frame (as shown in Figure 7) that corresponding service application terminal sends, and according to the information in application key data claim frame, judge whether there is satisfactory key in memory module, and reply application key data response frame to corresponding service application terminal, as shown in Figure 8.If satisfactory quantum key amount is not less than key request amount in quantum key office terminal, namely satisfactory quantum key enough uses, then in the application key data response frame replying to corresponding service application terminal, mark the enough marks of key (flag=1); If satisfactory quantum key amount is less than key request amount in quantum key office terminal, then in application key data response frame, mark the mark (flag=0) of key deficiency.

Further again, first quantum key interactive module receives the key request frame (as shown in Figure 9) that corresponding service application terminal sends, then according to the parameter in key request frame, as the key word joint number starting ID, object ID, once read, the shared quantum key of respective numbers is obtained from memory module, using obtained quantum key as key data, and reply corresponding service application terminal key response frame (as shown in Figure 10).

Wherein, if quantum key office terminal provides quantum key for transmitting terminal service application terminal, then the first quantum key interactive module and transmitting terminal service application terminal carry out interactive communication; If quantum key office terminal provides quantum key for receiving terminal service application terminal, then the first quantum key interactive module and receiving terminal service application terminal carry out interactive communication.

Embodiment four

See Figure 13 a, the embodiment of the present invention provides a kind of service application terminal, for in the quantum key transmission control system described by embodiment two, and between at least one other service application terminal, use amount sub-key securely communicates, and this service application terminal comprises:

Quantum key application module, use amount sub-key is that customer service between at least one other service application terminal or data carry out encryption and decryption etc., to realize secure communication.Preferably, described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

Preferably, service application terminal as illustrated in fig. 13b, also comprises the second initialization module, for carrying out the initial work such as parameter configuration and physical connection confirmation to service application terminal.

Specifically, the initialization of service application terminal mainly comprises two steps, namely the device parameter of service application terminal is carried out to initial configuration, confirms the physical connection between service application terminal and corresponding quantum key office terminal, as shown in Figure 3.

A. the second initialization module guarantees that the physical connection of service application terminal is normal, and parameter configuration is carried out to service application terminal, comprise the parameters such as key request amount, device id (comprise the device id of service application terminal, and provide the device id of the quantum key office terminal of service to it or weigh subset ID), IP address, secure communication strategy (such as authentication algorithm, enciphering and deciphering algorithm etc.).

B. the physical connection between the second initialization module finishing service application terminal and corresponding quantum key office terminal confirms, as shown in Figure 4.Hello message is sent to corresponding quantum key office terminal by the second initialization module of service application terminal, if receive the ACK message that corresponding quantum key office terminal is replied, then both sides' physical connection is normal, now service application terminal and corresponding quantum key office terminal have completed physical connection and have confirmed, but do not carry out handshake authentication.

Preferably, service application terminal of the present invention also comprises the second authentication module, for the configuration according to initialization module, quantum key office terminal to correspondence sends authentication request frames, and the authentication response frames that quantities received sub-key office terminal sends, realize and the handshake authentication between corresponding quantum key office terminal.

Preferably, before service application terminal carries out parameter negotiation, the second authentication module of service application terminal sends authentication request frames, to carry out handshake authentication and to set up corresponding relation to corresponding quantum key office terminal.

Authentication response frames is replied to the second authentication module of service application terminal in quantum key office terminal, if authentication success, corresponding relation is set up in service application terminal and corresponding quantum key office terminal.The frame structure of authentication request frames and authentication response frames as shown in Figure 5, Figure 6, see the description in embodiment one.

Preferably, service application terminal of the present invention also comprises cache module, for the quantum key that buffer memory second quantum key interactive module obtains, and quantum key is sent to key negotiation module, according to the completeness check result that key negotiation module sends, retain the quantum key by completeness check, delete not by the quantum key of completeness check; And provide the quantum key by completeness check to quantum key application module.

Described key negotiation module receives the quantum key that cache module sends, and carries out the completeness check of key data, and the result of completeness check is sent to cache module.

Described second quantum key interactive module applies for key data claim frame, key request frame, application key data response frame, key response frame that quantities received sub-key office terminal sends according to described consultation parameter to the quantum key office terminal transmission of correspondence.Above-mentioned frame structure, see Fig. 7-10, specifically describes the associated description see embodiment one.

The quantum key that described quantum key application module uses cache module to provide, carries out authentication between transmitting terminal and receiving terminal service application terminal, session key agreement protection, the encryption and decryption of data message and integrity protection etc.

In addition, service application terminal of the present invention also comprises the second control module, and the built-in function for service application terminal controls.

Specifically, the key negotiation module of service application terminal completes the parameter negotiation with at least one other service application terminal communicated with it, negotiation determines that starting ID (establishes the device id of the quantum key office terminal of corresponding relation with transmitting terminal service application terminal, be generally the quantum devices ID of initial configuration), object ID (establishes the device id of the quantum key office terminal of corresponding relation with receiving terminal service application terminal, be generally the quantum devices ID of initial configuration), application mark (or claim application serial, corresponding with a key application process, each key application process has unique application mark), key occupation mode (encryption or deciphering), the key word joint number of request is (according to the key request amount of initial configuration, the key information etc. of quantum key office terminal response is determined).

Key negotiation module is that each key application process arranges an application mark, a similar application serial, and each key application process has unique application mark; The service application terminal of communicating pair uses same application mark, should obtain identical key data.The similar challenge-response formula process of parameter negotiation of two service application terminal rooms, such as, key negotiation module as transmitting terminal service application terminal will start ID and (be generally the quantum devices ID of transmitting terminal service application terminal initial configuration, as: 00000005), application mark (such as: 123), key occupation mode (as: encryption), the key word joint number (such as: the key request amount of initial configuration is 1K) of request is sent to the key negotiation module of receiving terminal service application terminal, the key negotiation module of receiving terminal service application terminal will start ID (00000005), object ID (is generally the quantum devices ID of receiving terminal service application terminal initial configuration, as: 00000006), application mark (123), key occupation mode (encryption), the key word joint number (1K) of request replies to the key negotiation module of transmitting terminal service application terminal, then both sides complete primary parameter negotiations process.

That is, by the negotiation of key negotiation module, determine identification information, the identification information of application, the number of keys of key for encrypting or decipher and asking of service application terminal for the quantum key of acquisition of communicating pair.Such negotiation ensure that carrying out smoothly of service application terminal to apply and amount to obtain sub-key, can control effectively to the transmitting procedure of quantum key, and consistency and the continuation of the quantum key that communicating pair obtains from quantum key office terminal can be ensured, the communication between dissimilar service application terminal and quantum key office terminal can also be used for simultaneously, there is good versatility.

Further, second quantum key interactive module sends application key data claim frame (as shown in Figure 7) to the quantum key office terminal of correspondence, and receive corresponding quantum key office terminal and judge whether according to the information in application key data claim frame the application key data response frame that satisfactory key is replied, as shown in Figure 8.If satisfactory quantum key amount is not less than key request amount in the quantum key office terminal of correspondence, namely satisfactory quantum key enough uses, then what apply for marking in key data response frame is the enough mark (flag=1) of key; If satisfactory quantum key amount is less than key request amount in the quantum key office terminal of correspondence, then what apply for marking in key data response frame is the mark (flag=0) of key deficiency.

Further again, the second quantum key interactive module sends key request frame (as shown in Figure 9) to the quantum key office terminal of correspondence; Further, corresponding quantum key office terminal is received according to the key word joint number starting ID, object ID, once read, using the key response frame (as shown in Figure 10) that the shared quantum key of respective numbers is replied as key data.

Wherein, two described quantum key office terminals, the first quantum key office terminal is used for providing quantum key for transmitting terminal service application terminal, and the second quantum key office terminal provides quantum key for receiving terminal service application terminal.If this service application terminal is as transmitting terminal, then interactive communication is carried out in the second quantum key interactive module and the first quantum key office terminal; If this service application terminal is as receiving terminal, then interactive communication is carried out in the second quantum key interactive module and the second quantum key office terminal.

Preferably, the key negotiation module of this service application terminal calculates the data integrity value (as MD5, SM3 etc.) of institute's amount to obtain sub-key, by this check value together with applying for mark accordingly, key data frame number is sent to the service application terminal securely communicated with it by classic network; The key negotiation module of the service application terminal securely communicated with it calculates the data integrity value (identical with the computational methods of this service application terminal) of institute's amount to obtain sub-key, is compared by the corresponding check value that this check value and this service application terminal send; If check value is consistent, then by result consistent for check value together with applying for mark accordingly, key data frame number notifies this service application terminal, both sides retain the corresponding quantum key obtained; If check value is inconsistent, then by result inconsistent for check value together with applying for mark accordingly, key data frame number notifies this service application terminal, both sides abandon obtained corresponding quantum key.

The quantum key transfer control method provided the embodiment of the present invention above, service application terminal, quantum key office terminal and quantum key transmission control system are described in detail, but the explanation of above embodiment just understands method of the present invention and core concept thereof for helping, and should not be construed as limitation of the present invention.Those skilled in the art are in the technical scope that the present invention discloses, and the change expected easily or replacement, all should be encompassed within protection scope of the present invention.

Claims

1. a quantum key transfer control method, comprises the steps:

2. the method for claim 1, is characterized in that: described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

3. method as claimed in claim 2, it is characterized in that: transmitting terminal service application terminal and receiving terminal service application terminal carry out parameter negotiation in the mode of challenge-response, the key word joint number of beginning ID, application mark, key occupation mode, request is sent to receiving terminal service application terminal by transmitting terminal service application terminal, the key word joint number of beginning ID, object ID, application mark, key occupation mode, request is replied to transmitting terminal service application terminal by receiving terminal service application terminal, and both sides complete primary parameter negotiations process.

4. method as claimed in claim 2, it is characterized in that: before step 1, transmitting terminal and receiving terminal service application terminal send authentication request respectively to the first and second quantum key office terminals, carry out handshake authentication with providing the quantum key office terminal of service to it.

5. method as claimed in claim 4, it is characterized in that: transmitting terminal and receiving terminal service application terminal send authentication request frames respectively to the first and second quantum key office terminals, authentication response frames is replied respectively to transmitting terminal and receiving terminal service application terminal in first and second quantum key office terminals, if authentication success, transmitting terminal and receiving terminal service application terminal set up corresponding relation with the first and second quantum key office terminals respectively.

6. method as claimed in claim 5, is characterized in that, before handshake authentication, also comprise the initialization of transmitting terminal and receiving terminal service application terminal, the first and second quantum key office terminals, this initialization comprises:

The first, initial configuration is carried out to the device parameter of transmitting terminal and receiving terminal service application terminal, comprises key request amount, device id, IP address, secure communication strategy;

The second, to transmitting terminal and receiving terminal service application terminal, the physical connection respectively and between the first and second quantum key office terminals confirms.

7. method as claimed in claim 2, it is characterized in that: according to the determined each parameter of step 1, transmitting terminal service application terminal sends application key data claim frame to the first quantum key office terminal, application key data response frame is replied to transmitting terminal service application terminal in first quantum key office terminal, if satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

8. method as claimed in claim 7, is characterized in that: by key, whether sufficient information sends to receiving terminal service application terminal to transmitting terminal service application terminal, if key is sufficient, then the key word joint number that once reads is determined in both sides' negotiation; If key is not enough, then both sides continue the relevant parameter consulting amount to obtain sub-key.

9. method as claimed in claim 8, it is characterized in that: in step 2, transmitting terminal and receiving terminal service application terminal send key request frame respectively to the first and second quantum key office terminals, this key request frame comprises the parameter configuration determined in step 1, and key response frame is replied according to the described parameter configuration determined in the first and second quantum key office terminals.

10. method as claimed in claim 2, is characterized in that: the quantum key that obtains stored in buffer area, and is carried out consistency desired result to the quantum key obtained by transmitting terminal and receiving terminal service application terminal, and both sides retain the quantum key by consistency desired result.

11. 1 kinds of quantum key transmission control systems, comprise at least two service application terminals of transmitting terminal service application terminal and receiving terminal service application terminal, and at least two the quantum key office terminals comprising the first and second quantum key office terminals of correspondence, it is characterized in that:

12. methods as claimed in claim 11, is characterized in that: described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

13. systems as claimed in claim 12, it is characterized in that: transmitting terminal service application terminal and receiving terminal service application terminal carry out parameter negotiation in the mode of challenge-response, the key word joint number of beginning ID, application mark, key occupation mode, request is sent to receiving terminal service application terminal by transmitting terminal service application terminal, the key word joint number of beginning ID, object ID, application mark, key occupation mode, request is replied to transmitting terminal service application terminal by receiving terminal service application terminal, and both sides complete primary parameter negotiations process.

14. systems as claimed in claim 12, it is characterized in that: before parameter negotiation, transmitting terminal and receiving terminal service application terminal send authentication request respectively to the first and second quantum key office terminals, carry out handshake authentication with providing the quantum key office terminal of service to it.

15. systems as claimed in claim 14, it is characterized in that: transmitting terminal and receiving terminal service application terminal send authentication request frames respectively to the first and second quantum key office terminals, authentication response frames is replied respectively to transmitting terminal and receiving terminal service application terminal in first and second quantum key office terminals, if authentication success, transmitting terminal and receiving terminal service application terminal set up corresponding relation with the first and second quantum key office terminals respectively.

16. systems as claimed in claim 15, is characterized in that, before handshake authentication, also comprise the initialization of transmitting terminal and receiving terminal service application terminal, the first and second quantum key office terminals, this initialization comprises:

17. systems as claimed in claim 12, it is characterized in that: according to the determined each parameter of negotiation, transmitting terminal service application terminal sends application key data claim frame to the first quantum key office terminal, application key data response frame is replied to transmitting terminal service application terminal in first quantum key office terminal, if satisfactory quantum key amount is not less than key request amount in the first quantum key office terminal, then in application key data response frame, mark the enough marks of key, otherwise, in application key data response frame, mark the mark of key deficiency.

18. systems as claimed in claim 17, is characterized in that: the information whether key is sufficient is sent to receiving terminal service application terminal by transmitting terminal service application terminal, if key is sufficient, then the key word joint number that once reads is determined in both sides' negotiation; If key is not enough, then both sides continue the relevant parameter consulting amount to obtain sub-key.

19. systems as claimed in claim 18, it is characterized in that: transmitting terminal and receiving terminal service application terminal send key request frame respectively to the first and second quantum key office terminals, this key request frame comprises each parameter that described negotiation is determined, each parameter that the first and second quantum key office terminals are determined according to described negotiation replys key response frame.

20. systems as claimed in claim 12, is characterized in that: the quantum key that obtains stored in buffer area, and is carried out consistency desired result to the quantum key obtained by transmitting terminal and receiving terminal service application terminal, and both sides retain the quantum key by consistency desired result.

21. 1 kinds of quantum key office terminals, for in the quantum key transmission control system of such as one of claim 11-20, for the secure communication comprised between transmitting terminal and multiple service application terminals of receiving terminal service application terminal provides quantum key, this quantum key office terminal comprises:

Memory module, stores for the quantum key sent quantum key distribution system, according to the key demand of the service application terminal of correspondence, the quantum key of respective numbers is sent to the first quantum key interactive module;

22. quantum key office terminals as claimed in claim 21, it is characterized in that, this quantum key office terminal also comprises:

First initialization module, for carrying out the initial work of physical connection confirmation to quantum key office terminal.

23. quantum key office terminals as claimed in claim 22, it is characterized in that, this quantum key office terminal also comprises:

24. as arbitrary in claim 21-23 as described in quantum key office terminal, it is characterized in that: described first quantum key interactive module receives the application key data claim frame that corresponding service application terminal sends, and according to the information in application key data claim frame, judge whether there is satisfactory key in memory module, and reply application key data response frame to corresponding service application terminal, if satisfactory quantum key amount is not less than key request amount, then in application key data response frame, mark the enough marks of key, otherwise, the mark of key deficiency is marked in application key data response frame.

25. 1 kinds of service application terminals, in the quantum key transmission control system of such as one of claim 11-20, and between at least one other service application terminal, use amount sub-key securely communicates, and this service application terminal comprises:

26. service application terminals as claimed in claim 25, is characterized in that: described parameter also comprises application mark, for multiple key application processes of identification service application terminal parallel processing.

27. service application terminals as claimed in claim 26, it is characterized in that, this service application terminal also comprises:

Second initialization module, for carrying out the initial work of parameter configuration and physical connection confirmation to service application terminal.

28. service application terminals as claimed in claim 27, it is characterized in that, this service application terminal also comprises:

Second authentication module, for the configuration according to initialization module, the quantum key office terminal to correspondence sends authentication request frames, and the authentication response frames that quantities received sub-key office terminal sends, realize and the handshake authentication between corresponding quantum key office terminal.

29. as arbitrary in claim 25-28 as described in service application terminal, it is characterized in that, this service application terminal also comprises:

Cache module, for the quantum key that buffer memory second quantum key interactive module obtains, and quantum key is sent to key negotiation module, according to the completeness check result that key negotiation module sends, retain the quantum key by completeness check, delete not by the quantum key of completeness check; Dyad sub-key application module provides the quantum key by completeness check.