CN107453868B - A kind of safe and efficient quantum key method of servicing - Google Patents

A kind of safe and efficient quantum key method of servicing Download PDF

Info

Publication number
CN107453868B
CN107453868B CN201710780932.6A CN201710780932A CN107453868B CN 107453868 B CN107453868 B CN 107453868B CN 201710780932 A CN201710780932 A CN 201710780932A CN 107453868 B CN107453868 B CN 107453868B
Authority
CN
China
Prior art keywords
quantum key
key
service
quantum
application
Prior art date
Application number
CN201710780932.6A
Other languages
Chinese (zh)
Other versions
CN107453868A (en
Inventor
陈晖�
何远杭
张亮亮
黄伟
徐兵杰
Original Assignee
中国电子科技集团公司第三十研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国电子科技集团公司第三十研究所 filed Critical 中国电子科技集团公司第三十研究所
Priority to CN201710780932.6A priority Critical patent/CN107453868B/en
Publication of CN107453868A publication Critical patent/CN107453868A/en
Application granted granted Critical
Publication of CN107453868B publication Critical patent/CN107453868B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Abstract

The invention discloses a kind of safe and efficient quantum key method of servicing, aim to solve the problem that quantum key from QKD network to flexibility, safety and the efficiency of the cross-domain services of traditional secret communication network, realize that the real-time of quantum key is accessed and be adapted to using special purpose interface, the physical security that quantum key processing is realized using cross-domain isolation realizes the safe and efficient service of quantum key using concentrating layout and distributed cryptographic to ferry.The present invention solves the safety, flexibility and efficiency of quantum key service by providing safe and efficient quantum key service in QKD node deployment quantum key service system, and based on traditional secret communication network for the user in regional scope.The present invention is based on its higher safety, more easily application access, more flexible service mode, be a member of a political party, political affairs, industry control, finance, the fields such as military affairs have a good application prospect.

Description

A kind of safe and efficient quantum key method of servicing

Technical field

The present invention relates to a kind of safe and efficient quantum key method of servicing.

Background technique

Quantum key distribution (QKD) is a kind of novel random key safety on line distribution technology, it is based on quantum and surveys not Quasi- principle and unclonable theorem realize physics peace by quantum channel using the quantum state of microcosmic particle as information carrier Full key distribution.QKD promoted secret key distribution safety and in terms of have significant advantage.In national related industry Under the excitation of policy, under the background of cyberspace safe practice fast development, built with the deployment of QKD network and fusion application system Fast-developing period is stepped into the quantum communications industry development for being set as main body.Since QKD network is relatively independent in technical system, very Hardly possible realizes the one-line transmission with traditional secret communication network in fiber channel, is difficult seamless with legacy communications system progress safety Docking.For the application for promoting QKD technology and the significantly safety of the traditional secret signalling of promotion, need to solve quantum close Safety, flexibility and the efficiency of key service.

Summary of the invention

In order to overcome the disadvantages mentioned above of the prior art, the present invention provides a kind of safe and efficient quantum key service sides Method, it is intended to solve quantum key from QKD network to flexibility, safety and the efficiency of the cross-domain services of traditional secret communication network Problem realizes that the real-time of quantum key is accessed and be adapted to using special purpose interface, realizes quantum key processing using cross-domain isolation Physical security, using concentrate layout and distributed cryptographic ferry-boat realize the safe and efficient service of quantum key.

The technical solution adopted by the present invention to solve the technical problems is: a kind of safe and efficient quantum key service side Method includes the following steps:

Step 1: originating end proxy server A initiates a session request to responder proxy server B, complete mutually to recognize each other After card, negotiate the parameter of quantum key, and requests quantum to quantum key service system A and quantum key service system B respectively Key;

Step 2: quantum key service system A and quantum key service system B take with proxy server A and agency respectively Business device B carries out certification and the confirmation of quantum key parameter, and after through certification and parameter confirmation, respectively to QKD node A and QKD Node B requests quantum key;Otherwise, apply again;

Step 3: QKD node A and QKD node B complete be mutually authenticated after, negotiated in real time quantum key or close from quantum The quantum key with same index number is read in key pond, is then respectively outputted to quantum key service system A and quantum key Service system B, and quantum key described in safety deleting is distinguished after output;

Step 4: quantum key service system A and quantum key service system B is to the quantum key by detection and verification After carrying out layout, it will ferry respectively with the encryption of the quantum key of same key call number to proxy server A and agency service Device B, and quantum key described in safety deleting and index is updated respectively after encryption ferry-boat;

Step 5: proxy server A and proxy server B decrypt quantum key data respectively, and divide after verification passes through Quantum key is not injected into application system A and application system B, or quantum key data is carried out according to identical strategy It is injected into application system A and application system B after layout processing or ferry respectively using public network to answering after re-encrypted With in system A and application system B, and quantum key described in safety deleting is distinguished after terminating quantum key service process;If It cannot then be applied again by verification.

Compared with prior art, the positive effect of the present invention is:

1. realizing the secure accessing with QKD network: special purpose interface, cross-domain isolation, maltilevel security mechanism.

2. realizing the flexibility of quantum key service: access in real time be adapted to, synchronous crypto-operation, with rear destroyed.

3. realizing the rapid abutting joint between QKD network and widely distributed application terminal: close from QKD application quantum in real time Key, and application terminal is rapidly injected by traditional secret communication network.

By being in regional scope in QKD node deployment quantum key service system, and based on traditional secret communication network User safe and efficient quantum key service is provided, while the safety, flexibility and efficiency that solve quantum key service are asked Topic.The present invention is based on its higher safety, more easily using access, more flexible service mode, it is a member of a political party, political affairs, industry control, gold Melt, the fields such as military affairs have a good application prospect.

Detailed description of the invention

Examples of the present invention will be described by way of reference to the accompanying drawings, in which:

Fig. 1 is flow chart of the invention;

Fig. 2 is the functional module of quantum key service system;

Fig. 3 is the working principle of the invention figure.

Specific embodiment

A kind of safe and efficient quantum key method of servicing, as shown in Figure 1, including following content:

According to application system demand, proxy server is to quantum key service system application quantum key;Quantum key clothes Business system is acted on behalf of to QKD node application quantum key, and the quantum key data encryption ferry-boat after layout to proxy server Quantum key is injected application system by safe interface by server.

Specifically includes the following steps:

Step 1: according to application system demand, originating end proxy server A, which initiates session to responder proxy server B, to be asked It asks;Proxy server A and proxy server B is authenticated based on wildcard between the two;After completing to be mutually authenticated, Negotiate required for application quantum key parameter (including at least quantum key data format, group number and length), and respectively to Quantum key service system A and quantum key service system B requests quantum key.

Step 2: quantum key service system A and quantum key service system B respectively with proxy server A and agency service Device B carries out certification and the confirmation of quantum key parameter;After certification and parameter confirmation, quantum key service system A and quantum are close Key service system B is again respectively to QKD node A and QKD Node B requests quantum key;Otherwise, apply again.

Step 3:QKD node A and QKD node B is authenticated based on wildcard between the two, is passing through certification Afterwards, negotiated in real time quantum key or from quantum key pond read have same index number quantum key (at this point, negotiated in real time Quantum key for supplementing quantum key pond), and be respectively outputted to quantum key service system A and quantum key service system B;Then, QKD node A and QKD node B distinguishes quantum key described in safety deleting.

Step 4: quantum key service system A and quantum key service system B carries out randomness detection, one to quantum key Cause property and completeness check;Layout is carried out according to key format to by the quantum key of detection and verification, and presses node relationships With the corresponding cipher key index number of increases such as data length.Quantum key service system A and quantum key service system B are respectively tool There is the quantum key encryption ferry-boat of same key call number to proxy server A and proxy server B;Then, quantum key takes Business system A and quantum key service system B distinguish quantum key described in safety deleting and update index.

Step 5: proxy server A and proxy server B decrypts quantum key data respectively, and has carried out to quantum key Whole property verification;After verification, quantum key is injected into application system A respectively and answered by proxy server A and proxy server B With system B, or application system A is injected into after carrying out layout processing to quantum key data according to identical strategy and application is It is ferried respectively using public network in application system A and application system B in system B or after re-encrypted, quantum key service Process terminates;Quantum key described in proxy server A and proxy server B difference safety deleting;If cannot by verification, Again apply.

Wherein, the method for combination of quantum key is, quantum key service system A (assuming that the application system number of its service Amount be U) and quantum key service system B (assuming that its service application system quantity be V) between shared key be denoted as key sequence Arrange KAB;KABIn data be split according to key block length, formed scale be U*V matrix MAB(U, V)={ muv}, (muvIt is and the consistent bit sequence of key block length, u ∈ [0, U-1], v ∈ [0, V-1]), element m in matrixuvIt is Shared key between application system u and v;Finally, the corresponding cipher key index number of the increases such as node relationships, key length is pressed, and MABData in (U, V) matrix carry out secure storage.

Wherein, between quantum key service system, between proxy server, quantum key service system and proxy server Between secret communication carried out using the traditional wirelessly or non-wirelessly communication technology.

Wherein, the case where including Key Management Center (KMC), i.e. quantum key service system, use online coded communication Mode or offline mode receive the management of KMC, that is, receive the quantum key service and application management strategy that KMC is issued, report institute The summary info of the quantum key service of offer.

As shown in Fig. 2, quantum key service system of the invention includes at least following functional module: authentication and management Module, quantum key interface module, quantum key processing and orchestration module, coded communication module, system control module.Wherein,

Authentication and management module: being registered using online or offline mode and obtains administrative center's authorization, is obtained Common system initialization key, pre-share intercommunication key and application management strategy;QKD terminal is accessed after completing just dress and authorization;Base The body between quantum key service system, between quantum key service system and proxy server is realized in pre-share intercommunication key Part certification.

Quantum key interface module: quantum key is obtained from QKD node, or the quantum key encryption ferry-boat after layout is arrived Proxy server or application system;And rate adaption, key synchronization adaptation etc. are carried out for different types of application interface.

Wherein, rate adaption: it is different according to application system encryption and decryption rate, quantum key is expanded using cryptographic technique Exhibition or layout.

Key synchronization adaptation: smooth alternating synchronization, communication terminal when being replaced according to initial synchronisation, new and old key it is abnormal or Situations such as resynchronisation in the case of channel abnormal condition after step-out, using the key with corresponding secret key call number.

Quantum key processing and orchestration module: randomness detection, consistency and completeness check, close is carried out to quantum key Key layout and secure storage;The security protection to quantum key is realized using logic isolation and access control technology;To no longer making Quantum key carries out safety deleting.

Quantum secret communication module: the direct encrypting plaintext data of quantum key are used, or using classical cryptographic technique encryption Quantum key carries out coded communication.The module has traditional Wireless/wired communication function module.

System control module: controlling and manages other modules, and each module is enable to be uniformly coordinated work.

Proxy server of the invention is included the case where as autonomous device and as the functional module in application system Situation;When an application system is directly accessed a quantum key service system, which is counted as integration proxy clothes The application system for device function of being engaged in;In addition, multiple quantum key service systems can be interconnected by hierarchical relationship, that is, when one When quantum key service system and the quantum key service system of another access QKD node directly interconnect, quantum key clothes Business system is seen as proxy server.

The working principle of the invention is as shown in figure 3, according to application system or proxy server demand, quantum key service system System to the application of QKD node and caches quantum key in real time, carries out randomness detection, consistency and integrality school to quantum key It tests;Layout is carried out according to key format to by the quantum key of detection and verification, and is increased by node relationships and data length etc. Add corresponding cipher key index number, then carries out encryption storage;According to the application system or agency service in the node serve region Device application, quantum key service system A and B synchronism output have the quantum key of same key call number, that is, utilize and agency Shared key between server encrypts the quantum key data, is then sent to proxy server;Proxy server is the amount Application system is issued after sub-key decryption.Wherein, application system includes at least various crypto terminals, security gateway, Security routing Device and dense tubular system (DTS).

Claims (9)

1. a kind of safe and efficient quantum key method of servicing, characterized by the following steps:
Step 1: originating end proxy server A initiates a session request to responder proxy server B, after completing to be mutually authenticated, Negotiate the parameter of quantum key, and requests quantum key to quantum key service system A and quantum key service system B respectively;
Step 2: quantum key service system A and quantum key service system B respectively with proxy server A and proxy server B Certification and the confirmation of quantum key parameter are carried out, and after through certification and parameter confirmation, respectively to QKD node A and QKD node B Request quantum key;Otherwise, apply again;
Step 3: QKD node A and QKD node B is after completing to be mutually authenticated, negotiated in real time quantum key or from quantum key pond It is middle to read the quantum key with same index number, then it is respectively outputted to quantum key service system A and quantum key service System B, and quantum key described in safety deleting is distinguished after output;
Step 4: quantum key service system A and quantum key service system B is carried out to by the quantum key of detection and verification Layout, by the shared key K between quantum key service system A and quantum key service system BABIn data be grouped according to key Length is split, and forms the matrix M that scale is U*VAB(U, V)={ muv, wherein muvIt is and the consistent ratio of key block length Special sequence, u ∈ [0, U-1], v ∈ [0, V-1]);U, V is respectively the application system quantity of quantum key service system A, B service; Finally, press node relationships, key length increases corresponding cipher key index number, and by matrix MABData in (U, V) carry out safety Storage;Then it will ferry respectively with the encryption of the quantum key of same key call number to proxy server A and proxy server B, and quantum key described in safety deleting and index is updated respectively after encryption ferry-boat;
Step 5: proxy server A and proxy server B decrypt quantum key data respectively, and respectively will after verification passes through Quantum key is injected into application system A and application system B, or carries out layout to quantum key data according to identical strategy It is injected into after processing in application system A and application system B or is ferried respectively after re-encrypted using public network and give application system In system A and application system B, and quantum key described in safety deleting is distinguished after terminating quantum key service process;If cannot By verification, then apply again.
2. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: the quantum is close The parameter of key includes at least data format, group number and the length of quantum key.
3. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: quantum key clothes Between business system, between proxy server, between quantum key service system and proxy server using traditional wireless or have Line communication technology carries out secret communication.
4. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: quantum key clothes Business system is received Key Management Center and is issued quantum key service and application pipe using online coded communication mode or offline mode Reason strategy, the summary info for reporting provided quantum key service.
5. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: the quantum is close Key service system is implemented function such as by authentication and management module: being registered and is obtained using online or offline mode Administrative center's authorization, obtains common system initialization key, pre-share intercommunication key and application management strategy;Complete just dress and authorization QKD terminal is accessed afterwards;It is realized between quantum key service system based on pre-share intercommunication key, quantum key service system and generation Manage the authentication between server.
6. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: the quantum is close Key service system is implemented function such as by quantum key interface module: obtaining quantum key from QKD node, or after layout Proxy server or application system are arrived in quantum key encryption ferry-boat;And for different types of application interface carry out rate adaption, Key synchronization adaptation.
7. a kind of safe and efficient quantum key method of servicing according to claim 6, it is characterised in that: the code rate is suitable It is different according to application system encryption and decryption rate with referring to, quantum key is extended using cryptographic technique or layout;It is described close Smooth alternating synchronization situation, communication terminal when key synchronous adaptation refers to according to initial synchronisation situation, the replacement of new and old key is abnormal Or the resynchronisation situation in the case of channel abnormal condition after step-out, using the key with corresponding secret key call number.
8. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: the quantum is close Key service system is handled by quantum key and is implemented function such as with orchestration module: carrying out randomness detection, one to quantum key Cause property and completeness check, key schedule and secure storage;It is realized using logic isolation and access control technology to quantum key Security protection;Safety deleting is carried out to the quantum key not used.
9. a kind of safe and efficient quantum key method of servicing according to claim 1, it is characterised in that: agency's clothes Business device includes the case where the case where as autonomous device and as functional module in application system;When an application system is direct When accessing a quantum key service system, which is counted as the application system of integration proxy server capability;When one When a quantum key service system and the quantum key service system of another access QKD node directly interconnect, the quantum key Service system is counted as proxy server.
CN201710780932.6A 2017-09-01 2017-09-01 A kind of safe and efficient quantum key method of servicing CN107453868B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710780932.6A CN107453868B (en) 2017-09-01 2017-09-01 A kind of safe and efficient quantum key method of servicing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710780932.6A CN107453868B (en) 2017-09-01 2017-09-01 A kind of safe and efficient quantum key method of servicing

Publications (2)

Publication Number Publication Date
CN107453868A CN107453868A (en) 2017-12-08
CN107453868B true CN107453868B (en) 2019-09-24

Family

ID=60493642

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710780932.6A CN107453868B (en) 2017-09-01 2017-09-01 A kind of safe and efficient quantum key method of servicing

Country Status (1)

Country Link
CN (1) CN107453868B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105515766A (en) * 2015-12-16 2016-04-20 浙江神州量子网络科技有限公司 Application method of quantum key in stunnel
CN105827397A (en) * 2015-01-08 2016-08-03 阿里巴巴集团控股有限公司 Quantum key distribution system, method and device based on trusted relay
CN106357396A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 Digital signature method, digital signature system and quantum key card

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0917060D0 (en) * 2009-09-29 2009-11-11 Qinetiq Ltd Methods and apparatus for use in quantum key distribution

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827397A (en) * 2015-01-08 2016-08-03 阿里巴巴集团控股有限公司 Quantum key distribution system, method and device based on trusted relay
CN105515766A (en) * 2015-12-16 2016-04-20 浙江神州量子网络科技有限公司 Application method of quantum key in stunnel
CN106357396A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 Digital signature method, digital signature system and quantum key card

Also Published As

Publication number Publication date
CN107453868A (en) 2017-12-08

Similar Documents

Publication Publication Date Title
KR20180115701A (en) Secure manifold loss prevention of cryptographic keys for block-chain-based systems associated with wallet management systems Storage and transmission
US9008312B2 (en) System and method of creating and sending broadcast and multicast data
US5960086A (en) Unified end-to-end security methods and systems for operating on insecure networks
US6038322A (en) Group key distribution
KR930005572B1 (en) Data carrier and data communication apparatus using the same
US6915434B1 (en) Electronic data storage apparatus with key management function and electronic data storage method
EP2356772B1 (en) Quantum key distribution
KR100857323B1 (en) Methods, devices and systems for generating anonymous public keys in a secure communication system
EP0998799B1 (en) Security method and system for transmissions in telecommunication networks
CN1322699C (en) Indirect public-key encryption
CN104038341B (en) A kind of cross-system of identity-based acts on behalf of re-encryption method
US7194628B1 (en) Methods and systems for group authentication using the naccache-stern cryptosystem in accordance with a prescribed rule
EP2334008A1 (en) A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN101340443B (en) Session key negotiating method, system and server in communication network
AT412932B (en) Communication system with quantum cryptography
EP1376976A1 (en) Methods for authenticating potential members invited to join a group
KR20030095342A (en) Ic card and cryptographic communication method between ic cards
CN104253694B (en) A kind of time slot scrambling for network data transmission
US10243742B2 (en) Method and system for accessing a device by a user
JP2009534923A (en) User authentication and key management for quantum cryptography networks
CA2200624C (en) Method for establishing secure communications and associated encryption/decryption system
JP5300719B2 (en) Node device for quantum cryptography link network and node module for the node device
CN107579979A (en) The sharing query method of electronic health record based on block chain technology
WO2014058166A1 (en) Data transmitting apparatus and method, and recording medium having program recorded thereon for executing said method on computer
WO2019120092A1 (en) Intelligent contract-based data transfer method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant