CN106850204A - Quantum key distribution method and system - Google Patents
Quantum key distribution method and system Download PDFInfo
- Publication number
- CN106850204A CN106850204A CN201710109371.7A CN201710109371A CN106850204A CN 106850204 A CN106850204 A CN 106850204A CN 201710109371 A CN201710109371 A CN 201710109371A CN 106850204 A CN106850204 A CN 106850204A
- Authority
- CN
- China
- Prior art keywords
- key
- quantum
- space
- pond
- service communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Optical Communication System (AREA)
Abstract
The present invention provides a kind of quantum key distribution method and system, belongs to field of information security technology.The method includes:When service communication request is detected, the key space of service communication request application in quantum key pond is determined;It is that service communication asks corresponding Network distribution quantum key based on key space.Key space by when service communication request is detected, determining service communication request application in quantum key pond of the invention.It is that service communication asks corresponding Network distribution quantum key based on key space.Due to can by the cutting of quantum key pond multiple key spaces, encryption key distribution is realized so as to allow multiple Networks to be utilized respectively multiple key spaces, that is QKD and the relation that Network is " one-to-many " such that it is able to save the key resource between the wavelength resource and quantum communications node of optical fiber.Therefore, the utilization rate of key resource is higher during encryption key distribution.
Description
Technical field
The present invention relates to field of information security technology, more particularly, to a kind of quantum key distribution method and system.
Background technology
With the fast development of Information & Communication Technology, the security threat that information network is subject to is more and more, network security
Situation increasingly gets over severe complexity.In order to realize secret communication, the node device in network is generally needed when service communication is carried out
Information is encrypted by quantum key.Wherein, QKD (Quantum Key Distribution, quantum key distribution)
Security it is basic by the quantum mechanics of " measurement collapse theory ", " Heisenberg uncertainty principle " and " the unclonable law of quantum "
Law guarantee, the advantage with " unconditional security " in theory.Because quantum key is to realize the basis that service security communicates, from
And how to distribute quantum key is a key issue.Existing quantum-key distribution mode is mainly based upon quantum channel, classics
Channel and a pair of quantum communications nodes, are embodied as a pair of node device distribution quantum keys in network.Wherein, each pair quantum communications
Node includes quantum sending node and quantum receiving node, and quantum channel is based on WDM (Wavelength with classical channel
Division Multiplexing, wavelength-division multiplex) the shared optical fiber of technology.Specifically, quantum sending node is believed by quantum
Road quantum signal gives quantum receiving node, and is handed over by the classical channel between quantum sending node and quantum receiving node
Mutually consult to confirm final quantum key, so that by the quantum-key distribution to a pair of nodes for the treatment of Network in network
Equipment., when Network is processed, quantum communications node, whole piece quantum channel and classical channel all can be occupied for a pair of node devices
With.If it is again new Network distribution quantum key now to need, needs to wait current this Network encryption and pass
Defeated process is done;Or a pair of quantum communications nodes, quantum channel and classical channels are provided again for new network industry
Business distribution quantum key.
Realize it is of the invention during, find prior art at least there is problems with:Due to being the QKD and net for using
Network business is the relation of " one-to-one ", so as to the key resource between the wavelength resource and quantum communications node that waste optical fiber.
Therefore, the utilization rate of key resource is relatively low during encryption key distribution.
The content of the invention
The present invention provides a kind of quantum-key distribution side for overcoming above mentioned problem or solving the above problems at least in part
Method and system.
According to an aspect of the present invention, there is provided a kind of quantum key distribution method, the method includes:
When service communication request is detected, the key space of service communication request application in quantum key pond is determined;
It is that service communication asks corresponding Network distribution quantum key based on key space.
According to another aspect of the present invention, there is provided a kind of quantum key dispatching system, the system includes:Quantum gateway and
Quantum key pond;
The integrated quantum receiving node of quantum gateway and quantum sending node;Quantum sending node passes through with quantum receiving node
Quantum channel and classical channel connection;Quantum key pond, quantum key are provided between quantum sending node and quantum receiving node
Pond includes at least one key space.
The beneficial effect brought of technical scheme that the application is proposed is:
It is empty by the key for when service communication request is detected, determining service communication request application in quantum key pond
Between.It is that service communication asks corresponding Network distribution quantum key based on key space.Due to quantum key pond can be cut
Point multiple key spaces, so as to allow multiple Networks can be utilized respectively multiple key spaces realize encryption key distribution, i.e. QKD with
Network is the relation of " one-to-many " such that it is able to save the key money between the wavelength resource and quantum communications node of optical fiber
Source.Therefore, the utilization rate of key resource is higher during encryption key distribution.
Brief description of the drawings
Fig. 1 is a kind of quantum key encryption principle schematic diagram of the embodiment of the present invention;
Fig. 2 is a kind of schematic flow sheet of quantum key distribution method of the embodiment of the present invention;
Fig. 3 is a kind of schematic flow sheet of quantum key distribution method of the embodiment of the present invention;
Fig. 4 builds principle schematic for a kind of quantum key pond of the embodiment of the present invention;
Fig. 5 is a kind of quantum key pond building process schematic diagram of the embodiment of the present invention;
Distribution and renewal process schematic diagram of the Fig. 6 for a kind of quantum key of the embodiment of the present invention;
Fig. 7 is a kind of network scenarios schematic diagram of the embodiment of the present invention;
Fig. 8 is a kind of quantum-key distribution and the principle schematic for updating of the embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiment of the invention is described in further detail.Hereinafter implement
Example is not limited to the scope of the present invention for illustrating the present invention.
Nowadays, with the fast development of the broadband services such as internet and cloud computing, it is doubled and redoubled data traffic is brought
While, have also been introduced many network security problems.In traditional Data Encryption Scheme, key distribution channel for distribution may be stolen
Listen or attack.QKD technologies can ensure being perfectly safe for cipher key delivery.The security of QKD is by " measurement collapse theory ", " Hai Sen
The quantum mechanics philosophy of fort uncertainty principle " and " the unclonable law of quantum " ensures, with " unconditional peace in theory
Advantage entirely ".It is to realize the basis that service security communicates due to being allocated to quantum key, so as to how to distribute quantum key
It is a key issue.
Existing quantum-key distribution mode is mainly based upon quantum channel, classical channel and a pair of quantum communications nodes,
It is embodied as a pair of node device distribution keys in network.For example, as shown in Figure 1.With quantum sending node as Alice, quantum connects
Node is received for as a example by Bob.Quantum sending node Alice gives quantum receiving node Bob by quantum channel quantum signal, and
Negotiation is interacted by classical channel between the two, to confirm final safe key.Current existing quantum key point
It is mainly by carrying out point-to-point distribution key between Alice and Bob with scheme, Network takes quantum communications after reaching
Node, whole piece quantum channel and classical channel.Due to be QKD and the Network for using be " one-to-one " relation so that
Waste the key resource between the wavelength resource and quantum communications node of optical fiber.Therefore, during encryption key distribution key resource utilization
Rate is relatively low.
In Fig. 1, when needing to distribute quantum key for node 1 and node 2, quantum communications node (Alice and Bob),
Whole piece quantum channel and classical channel all can be occupied.If now need again for other Networks distribute quantum key, it is necessary to
Existing business is waited to encrypt and be transmitted;Or a pair of quantum communications nodes and two passages are provided again for new business point
With quantum key.
For the problems of the prior art, a kind of quantum key distribution method is the embodiment of the invention provides.Referring to Fig. 2,
The method includes:201st, when service communication request is detected, the key of service communication request application in quantum key pond is determined
Space;202nd, it is that service communication asks corresponding Network distribution quantum key based on key space.
Method provided in an embodiment of the present invention, by when service communication request is detected, determining industry in quantum key pond
The key space of business communication request application.It is that service communication asks corresponding Network distribution quantum close based on key space
Key.Due to can by the cutting of quantum key pond multiple key spaces, so as to allow multiple Networks to be utilized respectively multiple keys
Realize that encryption key distribution, i.e. QKD and Network are the relations of " one-to-many " in space such that it is able to save the wavelength resource of optical fiber
And the key resource between quantum communications node.Therefore, the utilization rate of key resource is higher during encryption key distribution.
As a kind of alternative embodiment, before determining the key space of service communication request application in quantum key pond, go back
Including:
Speed is produced based on the key between quantum gateway, quantum key pond is divided into key space.
As a kind of alternative embodiment, the key space of service communication request application in quantum key pond is determined, including:
Corresponding Network is asked for service communication, the corresponding business safety grade of Network is determined;
Based on the corresponding relation between business safety grade and key space, business safety grade in quantum key pond is determined
Corresponding key space, and as the key space of application.
As a kind of alternative embodiment, the key space of service communication request application in quantum key pond is determined, including:
Obtain service communication and ask corresponding key length;
According to the corresponding relation between key length and key space, key length is corresponding close in determining quantum key pond
Key space, and as the key space of application.
It is that service communication asks corresponding Network distribution quantum based on key space as a kind of alternative embodiment
Key, including:
Whether detection key space is idle under current time piece;
It is Network distribution key space corresponding length when key space is idle condition under current time piece
Key.
It is that service communication asks corresponding Network distribution quantum based on key space as a kind of alternative embodiment
After key, also include:
It is the accumulation number of timeslice after Network distribution quantum key to count;
When accumulation number reaches key space corresponding key updating cycle, it is close to be that quantum is redistributed in Network
Key.
It is before quantum key is redistributed in Network, also to include as a kind of alternative embodiment:
According to the corresponding business safety grade of Network, the key space corresponding key updating cycle is determined;
Or, obtain service communication and ask the corresponding key updating cycle.
Above-mentioned all optional technical schemes, can form alternative embodiment of the invention, herein no longer using any combination
Repeat one by one.
A kind of quantum key dispatching system is the embodiment of the invention provides, the system includes:Quantum gateway and quantum key
Pond;
The integrated quantum receiving node of quantum gateway and quantum sending node;Quantum sending node passes through with quantum receiving node
Quantum channel and classical channel connection;Quantum key pond, quantum key are provided between quantum sending node and quantum receiving node
Pond includes at least one key space.
System provided in an embodiment of the present invention, by when service communication request is detected, determining industry in quantum key pond
The key space of business communication request application.It is that service communication asks corresponding Network distribution quantum close based on key space
Key.Due to can by the cutting of quantum key pond multiple key spaces, so as to allow multiple Networks to be utilized respectively multiple keys
Realize that encryption key distribution, i.e. QKD and Network are the relations of " one-to-many " in space such that it is able to save the wavelength resource of optical fiber
And the key resource between quantum communications node.Therefore, the utilization rate of key resource is higher during encryption key distribution.
Used as a kind of alternative embodiment, quantum gateway at least includes high-speed narrow pulse light source, single-photon detector and two-way
Quantum key distribution module.
Used as a kind of alternative embodiment, system also includes quantum repeater, and quantum repeater is used to connect different quantum
Gateway.
Above-mentioned all optional technical schemes, can form alternative embodiment of the invention, herein no longer using any combination
Repeat one by one.
Based on the quantum key dispatching system that above-described embodiment is provided, a kind of quantum key point is the embodiment of the invention provides
Method of completing the square.Referring to Fig. 3, the method includes:301st, speed is produced based on the key between quantum gateway, quantum key pond is divided
It is key space;302nd, when service communication request is detected, the key of service communication request application in quantum key pond is determined
Space;303rd, it is that service communication asks corresponding Network distribution quantum key based on key space.
Wherein, 301 speed, is produced based on the key between quantum gateway, quantum key pond is divided into key space.
Before this step is performed, the quantum key dispatching system that can be provided based on above-described embodiment carries out Network Dept.
Administration, the present embodiment is not especially limited to this.Specifically, can on-premise network topology, quantum gateway and credible relaying.Wherein, may be used
Positional information and quantity deployment node device according to Internet interior joint equipment, so as to construct network topology.Consider network
Service needed sets up the node location of secure communication in topology, and quantum key pond can be built between these nodes.Needing to set up
The node location of secure communication can dispose quantum gateway, and quantum sending node and quantum receiving node are integrated with quantum gateway
Function.Quantum gateway at least includes high-speed narrow pulse light source, single-photon detector and two-way QKD module such that it is able to realize receiving
Send out the QKD of one, it is possible to continuously produce light quantity subsignal.In addition, can portion between each node in network topology
Affix one's name to credible relaying.Because QKD can not carry out optical signal amplification treatment, cause limited transmission distance, can such that it is able to pass through deployment
Letter relaying is extended transmission distance.Wherein, credible relaying is the quantum repeater in quantum key dispatching system, the Quantum repeater
Device is safe and reliable.
Further, since need to realize cipher key communication between follow-up quantum gateway, so as to can be with before this step is performed
Selection cipher key communication mode.The present embodiment does not make specific restriction to cipher key communication mode, including but not limited to:By selecting QKD
Agreement, quantum key pond service band, quantum channel and classical channel, realize cipher key communication.
Wherein, it is any one in the agreement such as the optional BB84 agreements of QKD agreements, B92 agreements, six-state pr otocol and E91 agreements
Kind, the present embodiment is not especially limited to this.In the present embodiment, can be using BB84 associations more ripe and that now application is more
View.
Select quantum key pond service band when, can be chosen with low loss window 1550nm C-band (1530 to
Quantum key pond 1565nm) is built, the present embodiment is not especially limited to this.By using C-band, biography can be effectively reduced
Defeated loss, extends the transmission range and speed of single photon signal, to lift QKD efficiency.In addition, quantum channel is placed on into C ripples
The high frequency treatment of section, i.e., near 1530nm wavelength, can effectively reduce Raman scattering.Quantum channel can be transmitted continually by quantum
The single light quantity subsignal with different polarization states information that gateway is produced, these quantum signals cannot be stolen hearer's detection.
Can be both reserved protections bandwidth (>=200GHz), to reduce four-wave mixing for quantum channel and classical channel
The influence of effect.In addition, classical channel can be spaced the wavelength of 200GHz with quantum channel, it is logical for clock synchronization and quantum
Quantum key screening between letter node confirms.
Due to mainly being divided to quantum key pond in this step, so as to before this step is performed, can be with
Build quantum key pond.Mode of the present embodiment not to building quantum key pond makees specific restriction, including but not limited to:Build
QKD system;Based on QKD system, key resource between integration node.Specifically, can be by every a pair of quantum gateway in network topology
(transmitting-receiving node) and its quantum communication link resource are built into a point-to-point QKD system.Based on QKD system, in node device
Between build quantum key pond, the key resource for producing is closed with amount of storage subnet.Wherein, need for every a pair to set up in network topology
A quantum key pond can be all built between the node of safety service communication, the present embodiment is not specifically limited to this.
Quantum key pond can continually produce after the completion of building and store quantum key, can support multi-service logical safely
Letter.In order to be encrypted to the information between service communication, it is also an option that corresponding secret key cryptographic algorithm, the present embodiment is not right
The secret key cryptographic algorithm of use makees specific restriction.AES (Advanced Encryption can be used in the present embodiment
Standard, Advanced Encryption Standard) AES, with instead preceding DES (Data Encryption Standard, data
Encryption standard) AES.Wherein, AES encryption algorithm can be disclosed, and the security of service communication depends on the peace of encryption key distribution
Quan Xing.Key length can be any one in 128bit, 192bit, 256bit equal length, this implementation in AES encryption algorithm
Example is not especially limited to this.Key length is more long, and the difficulty after business is encrypted during Brute Force is bigger.Correspondingly, business
Safe class is higher.
Based on the above, in this step, can be close between every a pair of quantum gateway in quantum key pond by determining
Key produce speed, effectively to plan the quantum key resource in pool of keys, will quantum key pond be divided into key space.This
Embodiment is not to based on the key generation speed between quantum gateway, the mode that quantum key pond is divided into key space being made to have
Body is limited, including but not limited to:Speed is produced based on the key in unit interval piece, according to preset-key length by quantum key
Pond is divided into key space.
For example, being 1 second with the length of unit interval piece, the key of every 1 second produces speed for as a example by 1024Kbit/s.It is based on
The corresponding preset-key length of aes algorithm in the above, can be divided into 8 (=1024/128) individual 128bit by quantum key pond
Key space, it is also possible to be divided into 4 128bit and 2 key spaces of 256bit.When key space is divided, as long as all
Total key length of key space is equal to key and produces speed, and the present embodiment does not make specific restriction to dividing mode.Quantum
The structure principle of pool of keys can be as shown in figure 4, be divided into 3 key spaces by quantum key pond in fig. 4.Quantum key pond
The schematic flow sheet of structure refers to Fig. 5, and Fig. 5 indicates automatic network and is deployed to the process for building quantum key pond.
Wherein, key length is more long, and the corresponding safe class of key space is also higher.The key updating cycle is shorter, key
The corresponding safe class in space is also higher.For example, in the above, the key space of 256bit length is than 128bit length
Key space safe class is higher.Further, since the key updating cycle is shorter, the corresponding safe class of key space is also higher,
So as to key updating cycle and key space length, the corresponding relation between business safety grade, with this can be set up in advance
According to business safety grade in step, quantum key pond is divided into key space.For example, being divided into 6 with business safety grade
As a example by individual grade.1st grade is minimum safe grade, and corresponding key space length is 128bit and the key updating cycle is
5s.The corresponding key space length of 2nd grade is 128bit and the key updating cycle is 4s.The corresponding key space of 3rd grade
Length is 128bit and the key updating cycle is 3s.The corresponding key space length of 4th grade is 128bit and key updating week
Phase is 2s.The corresponding key space length of 5th grade is 256bit and the key updating cycle is 3s.6th grade is highest safety
Grade, corresponding key space length is 256bit and the key updating cycle is 2s.Wherein, the corresponding key of above-mentioned 6 grades
Space length summation is just for key produces speed.
Based on the above, the present embodiment not to based between quantum gateway key produce speed, by quantum key pond
The mode for being divided into key space makees specific restriction, including but not limited to:Speed and key are produced based on the key between gateway
Update cycle, divide business safety grade;According to business safety grade, quantum key pond is divided into key space.For example, on
State business safety grade and correspond to 4 key spaces and 2 key spaces of 256bit length of 128bit length, so that can be by
Quantum key pond is divided into above-mentioned 6 key spaces.
Wherein, 302, when detecting service communication and asking, the close of service communication request application in quantum key pond is determined
Key space.
Based on the content in above-mentioned steps 301, when service communication request is detected, the present embodiment is not close to determining quantum
The mode of the key space of service communication request application makees specific restriction, including but not limited to the following two kinds mode in key pond.
First way:Corresponding Network is asked for service communication, the corresponding service security of Network is determined
Grade;Based on the corresponding relation between business safety grade and key space, business safety grade pair in quantum key pond is determined
The key space answered, and as the key space of application.
Wherein, the corresponding numerical value of business safety grade can be carried in service communication request.For example, with above-mentioned steps 301
As a example by 6 business safety grades of middle division.If the corresponding numerical value of business safety grade that service communication request is carried is 3,
The corresponding business safety grade of Network be can determine that for the 3rd grade, so as to can determine that the key space of the Network application
It is the key space of 128bit length.Further, since business safety grade correspond to key updating simultaneously in above-mentioned steps 301
Cycle, so that the key space corresponding key updating cycle that can simultaneously determine 128bit length is 3s.
The second way:Obtain service communication and ask corresponding key length;According between key length and key space
Corresponding relation, determine the corresponding key space of key length in quantum key pond, and as the key space of application.
Wherein, key length can equally be asked to carry by service communication.Which asks corresponding equivalent to service communication
Network directly asks to apply for the key space of certain key length.For example, when the key sky for needing request 256bit length
Between when, can service communication request in carry key length 256bit, so as to can determine that the key space of the Network application
It is the key space of 256bit length.Further, since key space also correspond to the key updating cycle, so as to be asked in service communication
The key updating cycle can also be carried in asking, the present embodiment is not especially limited to this.
Wherein, 303 it is that service communication asks corresponding Network distribution quantum key, based on key space.
It is determined that after the key space of Network application, quantum key can be distributed based on key space.The present embodiment is not
To based on key space, being that service communication asks the mode of corresponding Network distribution quantum key to make specific restriction, including
But it is not limited to:Whether detection key space is idle under current time piece;When key space is idle shape under current time piece
It is the key of Network distribution key space corresponding length during state.
Before said process is performed, key updating cycle T and OTDM (Optical Time that can first according to key space
Division Multiplexing, Optical Time Division Multiplexing) technology, each key space is cut into T timeslice, each time
Piece can be to Network distribution according to need quantum key or renewal quantum key.For a key space, in current time piece
Multiple Network applications be might have using distributing quantum key, thus can first detection key space under current time piece
It is whether idle, when key space is idle condition under current time piece, then for Network distribution key space is accordingly long
The key of degree.
In order to ensure the security of key, after for Network distribution quantum key, distribution quantum is also based on close
In the key updating cycle corresponding to the key space of key, update the quantum key that Network is used.The present embodiment is not to updating
The mode of the quantum key that Network is used makees specific restriction, including but not limited to:Count as Network distribution quantum is close
The accumulation number of timeslice after key;It is Network weight when accumulation number reaches key space corresponding key updating cycle
New distribution quantum key.
Because said process is designed into the key updating cycle, so as to the corresponding key updating of key space can also first be determined
Cycle.Based on the content in above-mentioned steps 302, the present embodiment does not determine the mode in key space corresponding key updating cycle pair
Make specific restriction, including but not limited to:According to the corresponding business safety grade of Network, the corresponding key of key space is determined
Update cycle;Or, obtain service communication and ask the corresponding key updating cycle.
For example, with the length of unit interval piece as 1s, the key space corresponding key updating cycle is for as a example by 3s.Now,
The key space corresponding key updating cycle is 3 timeslices.If a certain Network is arrived in current time piece 1s applications
Key space, key space is assigned with a quantum key for the Network.From after 1s, start the individual of accumulated time piece
Number, when accumulation is to 3 timeslices, i.e., can be the network when accumulation number reaches key space corresponding key updating cycle
Business redistributes quantum key.Based on the above, the distribution of quantum key can be joined with the flow for updating in quantum key pond
Examine Fig. 6.
The quantum key pond that the present embodiment is provided can apply under multiple network scene, in order to make it easy to understand, existing with Fig. 7
In " IP+ light " heterogeneous network based on QKD and SDN (Software Defined Networking, software defined network) controller
As a example by network, the method flow that the present embodiment is provided is illustrated.Assuming that full mesh topology node is required to set up secure communication, then
A quantum key pond can be built between every a pair of nodes by the method for the present embodiment offer.When application layer user is to key-course
When SDN controllers send safety service request, then SDN controllers are to cipher key layer request pool of keys distribution and update quantum key.
Wherein, 2. 1. business correspond to IP layer services and optical-fiber network layer service respectively with business, and the quantum in cipher key layer quantum key pond is close
Key can ensure safe key distribution according to need and renewal of the business 1. with business 2..
(the actual key generation speed in current laboratory can be more than so that key produces speed as 1024Kbit/s as an example
1024Kbit/s), if selection key length is 128bit and 256bit, it is 4 to divide quantum key pond according to key length
128bit key spaces and 2 256bit key spaces.Wherein, the key updating cycle of 4 128bit key spaces be respectively 2
Second, 3 seconds, 4 seconds and 5 seconds, the key updating cycle of 2 256bit key spaces is respectively 2 seconds and 3 seconds.
It is 2,3,4,5 timeslices, 2 256bit keys of cutting according to 4 128bit key spaces of OTDM technologies cutting
Space is 2,3 timeslices.As shown in figure 8, each timeslice can be IP (network) layers or optical-fiber network layer service safety in Fig. 8
Distribution and renewal quantum key.The structure in quantum key pond decouples QKD and business, realizes QKD with business " one-to-many "
Relation, can between sourcesink node multiple service dynamic quantum key is provided, greatly promote the utilization rate of key resource.
By building quantum key pond between the sourcesink node in heterogeneous network, when business is reached, first to business
The Internet of adaptation is judged, it may appear that IP layers and optical-fiber network two kinds of service request of layer.Carry out quantum-key distribution with more
When new, by the corresponding key length of the selection of adaptation service and update cycle.In the quantum key pond, key length
256bit and 2 seconds key updating cycles corresponding key space level of security highest, can be with when timeslice is distributed to new business
It is randomly assigned or initial hit distribution;Then safe key cannot be provided without free time piece for business.After business is transmitted,
Timeslice release in its counterpart keys space, for next traffic assignments or renewal quantum key.
Method provided in an embodiment of the present invention, produces speed, by quantum key by based on the key between quantum gateway
Pond is divided into key space.When service communication request is detected, service communication asks the close of application in determining quantum key pond
Key space.It is that service communication asks corresponding Network distribution quantum key based on key space.Due to can be by quantum key
Pond cutting multiple key space, realizes encryption key distribution, i.e., so as to allow multiple Networks to be utilized respectively multiple key spaces
QKD and the relation that Network is " one-to-many " such that it is able between saving the wavelength resource and quantum communications node of optical fiber
Key resource.Therefore, the utilization rate of key resource is higher during encryption key distribution.
Further, since key space can be cut into by multiple timeslices using OTDM technologies according to the key updating cycle, often
Individual timeslice can provide safe key for business, so as to allowed on time dimension quantum key pond be multiple service dynamics by
Need to distribute and update quantum key, realize " one-to-many " relation of QKD and business.Therefore, wavelength money is further improved
Source and the utilization rate of quantum key resource.
Finally, by integrating quantum network sourcesink node between key resource, can easily build quantum key pond, and
The quantum key pond built out is easy to extension.Quantum key pond is by the theoretic unconditional security characteristic of quantum communications, Ke Yibao
Being perfectly safe during card encryption key distribution.
Finally, the present processes are only preferably embodiment, are not intended to limit the scope of the present invention.It is all
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvements made etc. should be included in protection of the invention
Within the scope of.
Claims (10)
1. a kind of quantum key distribution method, it is characterised in that methods described includes:
When service communication request is detected, the key space of the request application of service communication described in quantum key pond is determined;
It is that the service communication asks corresponding Network distribution quantum key based on the key space.
2. method according to claim 1, it is characterised in that service communication described in the determination quantum key pond is asked
Before the key space of application, also include:
Speed is produced based on the key between quantum gateway, the quantum key pond is divided into key space.
3. method according to claim 1, it is characterised in that service communication described in the determination quantum key pond is asked
The key space of application, including:
Corresponding Network is asked for the service communication, the corresponding business safety grade of the Network is determined;
Based on the corresponding relation between business safety grade and key space, service security described in the quantum key pond is determined
The corresponding key space of grade, and as the key space of application.
4. method according to claim 1, it is characterised in that service communication described in the determination quantum key pond is asked
The key space of application, including:
Obtain the service communication and ask corresponding key length;
According to the corresponding relation between key length and key space, the correspondence of key length described in the quantum key pond is determined
Key space, and as application key space.
5. method according to claim 1, it is characterised in that described based on the key space, is the service communication
Corresponding Network distribution quantum key is asked, including:
Detect whether the key space is idle under current time piece;
It is that the Network distributes the key space phase when the key space is idle condition under current time piece
Answer the key of length.
6. the method according to any claim in claim 1 to 5, it is characterised in that described empty based on the key
Between, it is that the service communication asks corresponding Network to distribute after quantum key, also include:
It is the accumulation number of timeslice after Network distribution quantum key to count;
It is that the Network is redistributed when the accumulation number reaches the key space corresponding key updating cycle
Quantum key.
7. method according to claim 6, it is characterised in that it is described for the Network redistribute quantum key it
Before, also include:
According to the corresponding business safety grade of the Network, the key space corresponding key updating cycle is determined;
Or, obtain the service communication and ask the corresponding key updating cycle.
8. a kind of quantum key dispatching system, it is characterised in that the system includes:Quantum gateway and quantum key pond;
The integrated quantum receiving node of quantum gateway and quantum sending node;The quantum sending node is received with the quantum
Node is connected by quantum channel and classical channel;It is provided with described between the quantum sending node and the quantum receiving node
Quantum key pond, the quantum key pond includes at least one key space.
9. system according to claim 8, it is characterised in that the quantum gateway at least include high-speed narrow pulse light source,
Single-photon detector and two-way quantum key distribution module.
10. system according to claim 8, it is characterised in that the system also includes quantum repeater, in the quantum
It is used to connect different quantum gateways after device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710109371.7A CN106850204A (en) | 2017-02-27 | 2017-02-27 | Quantum key distribution method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710109371.7A CN106850204A (en) | 2017-02-27 | 2017-02-27 | Quantum key distribution method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106850204A true CN106850204A (en) | 2017-06-13 |
Family
ID=59134966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710109371.7A Pending CN106850204A (en) | 2017-02-27 | 2017-02-27 | Quantum key distribution method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106850204A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248913A (en) * | 2017-07-28 | 2017-10-13 | 浙江九州量子信息技术股份有限公司 | A kind of quantum key synchronization system and method based on dynamic group net fault detect |
| CN107453820A (en) * | 2017-09-12 | 2017-12-08 | 中南大学 | Continuous variable quantum key distribution system and implementation method based on independent clock source |
| CN107483196A (en) * | 2017-09-08 | 2017-12-15 | 中南大学 | Data stream encryption system and its implementation based on continuous variable quantum key distribution |
| CN108667526A (en) * | 2018-03-14 | 2018-10-16 | 北京邮电大学 | Multiple services safety transfer method, device and equipment in a kind of optical transfer network |
| CN109005034A (en) * | 2018-09-19 | 2018-12-14 | 北京邮电大学 | A kind of multi-tenant quantum key Supply Method and device |
| CN109039615A (en) * | 2018-10-15 | 2018-12-18 | 北京天融信网络安全技术有限公司 | Utilize the method and relevant device and storage medium of SSL VPN agreement acquisition quantum key |
| CN109150518A (en) * | 2018-09-14 | 2019-01-04 | 北京信息科技大学 | A kind of double-channel information transferring method towards quantum key distribution |
| CN110149204A (en) * | 2019-05-09 | 2019-08-20 | 北京邮电大学 | The key resource allocation methods and system of QKD network |
| CN110213050A (en) * | 2019-06-04 | 2019-09-06 | 苏州科达科技股份有限公司 | Key generation method, device and storage medium |
| CN111147232A (en) * | 2019-11-25 | 2020-05-12 | 北京邮电大学 | QKD communication node and quantum key resource migration method and device thereof |
| CN113179514A (en) * | 2021-03-25 | 2021-07-27 | 北京邮电大学 | Quantum key distribution method and related equipment in relay coexistence scene |
| CN114499864A (en) * | 2022-04-18 | 2022-05-13 | 浙江九州量子信息技术股份有限公司 | Quantum key scheduling method for cloud computing platform |
| CN117176345A (en) * | 2023-10-31 | 2023-12-05 | 中电信量子科技有限公司 | Quantum cryptography network key relay dynamic routing method, device and system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192919A (en) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | Method for realizing user-defined security level |
| CN101572601A (en) * | 2009-06-09 | 2009-11-04 | 普天信息技术研究院有限公司 | Data encryption and transmission method and device thereof |
| CN102665209A (en) * | 2012-05-10 | 2012-09-12 | 佛山科学技术学院 | Method for configuring secret key of wireless sensor network |
| CN103987034A (en) * | 2014-04-30 | 2014-08-13 | 南京邮电大学 | Privacy protection method of soldier information in field battle environment |
| US20150036819A1 (en) * | 2013-07-31 | 2015-02-05 | Oki Electric Industry Co., Ltd. | Quantum-key-distribution receiving device and method for using single-photon detector |
| CN104468097A (en) * | 2015-01-13 | 2015-03-25 | 中国人民解放军理工大学 | Security data communication achieving method based on quantum key distribution |
| CN104618387A (en) * | 2015-02-14 | 2015-05-13 | 安徽量子通信技术有限公司 | Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system |
| CN105119941A (en) * | 2015-09-16 | 2015-12-02 | 浙江神州量子网络科技有限公司 | Quantum seal stamping and verifying system, and configuration, stamping process and verifying method thereof |
| CN105357001A (en) * | 2015-12-10 | 2016-02-24 | 安徽问天量子科技股份有限公司 | Quantum secrete key dynamic distribution management method and system |
-
2017
- 2017-02-27 CN CN201710109371.7A patent/CN106850204A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101192919A (en) * | 2006-11-21 | 2008-06-04 | 中兴通讯股份有限公司 | Method for realizing user-defined security level |
| CN101572601A (en) * | 2009-06-09 | 2009-11-04 | 普天信息技术研究院有限公司 | Data encryption and transmission method and device thereof |
| CN102665209A (en) * | 2012-05-10 | 2012-09-12 | 佛山科学技术学院 | Method for configuring secret key of wireless sensor network |
| US20150036819A1 (en) * | 2013-07-31 | 2015-02-05 | Oki Electric Industry Co., Ltd. | Quantum-key-distribution receiving device and method for using single-photon detector |
| CN103987034A (en) * | 2014-04-30 | 2014-08-13 | 南京邮电大学 | Privacy protection method of soldier information in field battle environment |
| CN104468097A (en) * | 2015-01-13 | 2015-03-25 | 中国人民解放军理工大学 | Security data communication achieving method based on quantum key distribution |
| CN104618387A (en) * | 2015-02-14 | 2015-05-13 | 安徽量子通信技术有限公司 | Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system |
| CN105119941A (en) * | 2015-09-16 | 2015-12-02 | 浙江神州量子网络科技有限公司 | Quantum seal stamping and verifying system, and configuration, stamping process and verifying method thereof |
| CN105357001A (en) * | 2015-12-10 | 2016-02-24 | 安徽问天量子科技股份有限公司 | Quantum secrete key dynamic distribution management method and system |
Non-Patent Citations (1)
| Title |
|---|
| 吴佳楠: "基于BB84协议的量子保密通信网络流量控制策略", 《吉林大学学报》 * |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107248913B (en) * | 2017-07-28 | 2023-08-15 | 浙江九州量子信息技术股份有限公司 | Quantum key synchronization system and method based on dynamic networking fault detection |
| CN107248913A (en) * | 2017-07-28 | 2017-10-13 | 浙江九州量子信息技术股份有限公司 | A kind of quantum key synchronization system and method based on dynamic group net fault detect |
| CN107483196B (en) * | 2017-09-08 | 2020-02-18 | 中南大学 | Data stream encryption system based on continuous variable quantum key distribution and implementation method thereof |
| CN107483196A (en) * | 2017-09-08 | 2017-12-15 | 中南大学 | Data stream encryption system and its implementation based on continuous variable quantum key distribution |
| CN107453820A (en) * | 2017-09-12 | 2017-12-08 | 中南大学 | Continuous variable quantum key distribution system and implementation method based on independent clock source |
| CN108667526A (en) * | 2018-03-14 | 2018-10-16 | 北京邮电大学 | Multiple services safety transfer method, device and equipment in a kind of optical transfer network |
| CN108667526B (en) * | 2018-03-14 | 2020-06-19 | 北京邮电大学 | Multi-service safe transmission method, device and equipment in optical transport network |
| CN109150518A (en) * | 2018-09-14 | 2019-01-04 | 北京信息科技大学 | A kind of double-channel information transferring method towards quantum key distribution |
| CN109150518B (en) * | 2018-09-14 | 2020-12-18 | 北京信息科技大学 | Double-channel information transmission method oriented to quantum key distribution |
| CN109005034A (en) * | 2018-09-19 | 2018-12-14 | 北京邮电大学 | A kind of multi-tenant quantum key Supply Method and device |
| CN109005034B (en) * | 2018-09-19 | 2020-10-02 | 北京邮电大学 | Multi-tenant quantum key supply method and device |
| CN109039615A (en) * | 2018-10-15 | 2018-12-18 | 北京天融信网络安全技术有限公司 | Utilize the method and relevant device and storage medium of SSL VPN agreement acquisition quantum key |
| CN110149204A (en) * | 2019-05-09 | 2019-08-20 | 北京邮电大学 | The key resource allocation methods and system of QKD network |
| CN110149204B (en) * | 2019-05-09 | 2021-01-05 | 北京邮电大学 | Key resource distribution method and system for QKD network |
| CN110213050A (en) * | 2019-06-04 | 2019-09-06 | 苏州科达科技股份有限公司 | Key generation method, device and storage medium |
| CN111147232A (en) * | 2019-11-25 | 2020-05-12 | 北京邮电大学 | QKD communication node and quantum key resource migration method and device thereof |
| CN113179514A (en) * | 2021-03-25 | 2021-07-27 | 北京邮电大学 | Quantum key distribution method and related equipment in relay coexistence scene |
| CN114499864A (en) * | 2022-04-18 | 2022-05-13 | 浙江九州量子信息技术股份有限公司 | Quantum key scheduling method for cloud computing platform |
| CN114499864B (en) * | 2022-04-18 | 2022-07-12 | 浙江九州量子信息技术股份有限公司 | Quantum key scheduling method for cloud computing platform |
| CN117176345A (en) * | 2023-10-31 | 2023-12-05 | 中电信量子科技有限公司 | Quantum cryptography network key relay dynamic routing method, device and system |
| CN117176345B (en) * | 2023-10-31 | 2024-01-09 | 中电信量子科技有限公司 | Quantum cryptography network key relay dynamic routing method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106850204A (en) | Quantum key distribution method and system | |
| Cao et al. | Key on demand (KoD) for software-defined optical networks secured by quantum key distribution (QKD) | |
| Cao et al. | The evolution of quantum key distribution networks: On the road to the qinternet | |
| Zhao et al. | Resource allocation in optical networks secured by quantum key distribution | |
| US10348493B2 (en) | Quantum key distribution system, method and apparatus based on trusted relay | |
| Cao et al. | Time-scheduled quantum key distribution (QKD) over WDM networks | |
| Cao et al. | KaaS: Key as a service over quantum key distribution integrated optical networks | |
| Aguado et al. | Secure NFV orchestration over an SDN-controlled optical network with time-shared quantum key distribution resources | |
| Sasaki et al. | Field test of quantum key distribution in the Tokyo QKD Network | |
| EP2003812B1 (en) | Method and device for managing cryptographic keys in secret communications network | |
| EP2366231B1 (en) | Method of establishing a quantum key for use between network nodes | |
| CN108111305B (en) | Multi-type quantum terminal compatible converged network access system and method | |
| CN108206740A (en) | Enhance the device and method that the privacy key rate on the quantum channel in QKD exchanges | |
| JP2017514404A (en) | How to generate a secret or key in the network | |
| CN106712941B (en) | Dynamic updating method and system for quantum key in optical network | |
| US11949783B1 (en) | Quantum key distribution and management in passive optical networks | |
| CN106878006B (en) | Quantum key channel transmission method and system based on Optical Time Division Multiplexing | |
| CN107294960A (en) | A kind of method for protecting of software defined network control passage | |
| CN103888940A (en) | Multi-level encryption and authentication type WIA-PA network handheld device communication method | |
| Zhao et al. | Quantum key distribution (QKD) over software-defined optical networks | |
| Benkahla et al. | Security analysis in enhanced LoRaWAN duty cycle | |
| KR101602497B1 (en) | Method for providing mac protocol for data communication security in wireless network communication | |
| US20210175977A1 (en) | Path Computation Engine and Method of Configuring an Optical Path for Quantum Key Distribution | |
| CN108540286A (en) | A kind of changeable polymorphic type quantum terminal network communication system and method for distributing key | |
| CN114499838A (en) | Central symmetry QKD annular multi-user system and key distribution method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170613 |