CN107483197A - A kind of VPN terminal key distribution method and device - Google Patents
A kind of VPN terminal key distribution method and device Download PDFInfo
- Publication number
- CN107483197A CN107483197A CN201710827200.8A CN201710827200A CN107483197A CN 107483197 A CN107483197 A CN 107483197A CN 201710827200 A CN201710827200 A CN 201710827200A CN 107483197 A CN107483197 A CN 107483197A
- Authority
- CN
- China
- Prior art keywords
- terminal
- quantum key
- sequence number
- message
- actively
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Abstract
The application provides a kind of VPN terminal key distribution method, it is characterised in that methods described includes:Receive and asked by the conversation establishing for actively creating terminal transmission;Asked according to the conversation establishing, to the terminal that actively creates conversation establishing notice is sent with the passive terminal that creates, the passive terminal iidentification created during terminal is asked by the conversation establishing is specified, and the session that the passive establishment terminal creates and the session for actively creating terminal establishment are same session;It is described actively create terminal and it is described it is passive create after terminal completes conversation establishing, in the case where receiving the quantum key application for actively creating terminal, terminal and the passive establishment terminal distribution identical quantum key block are actively created to be described.Application scheme is the terminal distribution quantum key block in session, the unclonable principle based on quantum key, the safe transmission of ciphertext data added by realization.
Description
Technical field
The application is related to technical field of network security, more particularly to a kind of VPN terminal key distribution method and device.
Background technology
VPN (Virtual Private Network, VPN) is to be built in the public network by tunneling technique
Vertical dedicated network, but the physical circuit of optical cable etc is not laid in VPN foundation practically, but by packet
The means of encapsulation are encrypted, ensure that data can be safely via public network transmissions.Tunneling technique is exactly the encryption to packet
Process, the both sides of information are transmitted in same session, identical key will be used.After some terminal in session encrypts packet
Send, the information channel --- i.e. alleged tunnel --- that data are passed through in middle public network reaches distant terminal, receives
The terminal of message uses unseals packet with the terminal identical key for sending message, you can obtains transmitted information.At this
During one, because packet is encrypted, and key only has the both sides in session to possess, it is believed that the data transmitted are
Safety.Therefore, the security of the key used in encryption technology, it is extremely important for the safe transmission of data in VPN.
In the prior art, typically not actual exchange key, but complicated algorithm is used, realize both sides' key in session
The exchange of material, the exchange of key material is probably disclosed, and after key material is exchanged, each party generates identical and is total to
Enjoy key.The security of this key ways of distribution, be based in limited range to the complexity of cipher key calculation, it is clear that it is this
Security is not absolute in theory, once data transfer phase of the attacker in key distribution phase or afterwards cracks
Shared key, you can to obtain the data in intercepted and captured packet, and the both sides in session will not even discover completely.
The content of the invention
In view of this, the application provides a kind of VPN terminal key distribution method and device, technical scheme are as follows:
According to the first aspect of the application, there is provided a kind of VPN terminal key distribution method, this method include:
Receive and asked by the conversation establishing for actively creating terminal transmission;
Asked according to the conversation establishing, led to the terminal that actively creates with the passive terminal transmission conversation establishing that creates
Know, the passive terminal iidentification created during terminal is asked by the conversation establishing is specified, what the passive establishment terminal created
Session is same session with the session for actively creating terminal establishment;
It is described actively create terminal and it is described it is passive create after terminal completes conversation establishing, receiving the active wound
In the case of the quantum key application for building terminal, distribute identical amount with the passive terminal that creates for the terminal that actively creates
Subkey block.
According to the second aspect of the application, there is provided a kind of VPN terminal message encryption method based on aforementioned key, should
Method includes:
In the case where receiving quantum key block, according to default sequence number allocation rule, for the quantum of the reception
Key block assigned sequence number, wherein, actively create terminal and the passive sequence number distribution for creating terminal and using in same session
Rule is identical;
In the case where receiving message and sending request, rule is determined according to default key, determines quantum key unit,
And the corresponding relation of the quantum key unit and corresponding quantum key block;
By the sequence number of quantum key block and the mark of this terminal corresponding to the corresponding relation, the quantum key unit
Know, added in the message;
Using the quantum key unit, the message is encrypted.
According to the third aspect of the application, there is provided a kind of VPN terminal message decryption method based on aforementioned key, should
Method includes:
In the case where receiving quantum key block, according to default sequence number allocation rule, for the quantum of the reception
Key block assigned sequence number, wherein, actively create terminal and the passive sequence number distribution for creating terminal and using in same session
Rule is identical;
In the case where receiving encrypted message, the received message of parsing, terminal iidentification, quantum key block sequence are obtained
Number and quantum key unit and corresponding quantum key block corresponding relation;
According to the terminal iidentification, sequence number and corresponding relation being resolved to, quantum key unit is searched;
Use found quantum key unit, the received message of decryption.
According to the fourth aspect of the application, there is provided a kind of VPN terminal key dispensing device, the device include:
Request receiving module, asked for receiving by the conversation establishing for actively creating terminal transmission;
Sending module is notified, for being asked according to the conversation establishing, is created eventually with passive to the terminal that actively creates
End sends conversation establishing notice, and the passive terminal iidentification created during terminal is asked by the conversation establishing is specified, the quilt
The dynamic session for creating terminal establishment is same session with the session for actively creating terminal establishment;
Key distribution module, for it is described actively create terminal and it is described it is passive create after terminal completes conversation establishing,
In the case where receiving the quantum key application for actively creating terminal, terminal and the passive wound are actively created to be described
Build terminal distribution identical quantum key block.
According to the 5th of the application the aspect, there is provided a kind of VPN terminal message encryption device based on aforementioned key, should
Device includes:
Sequence number distribute module, in the case where receiving quantum key block, being distributed and being advised according to default sequence number
Then, it is the quantum key block assigned sequence number of the reception, wherein, the terminal that actively creates in same session creates eventually with passive
Hold the sequence number allocation rule used identical;
Key determining module, in the case where receiving message and sending request, rule to be determined according to default key,
Determine quantum key unit, and the corresponding relation of the quantum key unit and corresponding quantum key block;
Information add module, for by the sequence of quantum key block corresponding to the corresponding relation, the quantum key unit
The mark of row number and this terminal, added in the message;
Message encryption module, for using the quantum key unit, encrypt the message.
According to the 6th of the application the aspect, there is provided a kind of VPN terminal message decryption device based on aforementioned key, should
Device includes:
Sequence number distribute module, in the case where receiving quantum key block, being distributed and being advised according to default sequence number
Then, it is the quantum key block assigned sequence number of the reception, wherein, the terminal that actively creates in same session creates eventually with passive
Hold the sequence number allocation rule used identical;
Packet parsing module, in the case where receiving encrypted message, the received message of parsing, obtaining terminal mark
The corresponding relation of knowledge, quantum key block sequence number and quantum key unit and corresponding quantum key block;
Cipher key lookup module, for according to terminal iidentification, sequence number and the corresponding relation being resolved to, searching quantum key list
Member;
Message deciphering module, for using found quantum key unit, the received message of decryption.
Technical scheme provided herein, use the data of quantum key encrypted transmission.According to the unclonable original of quantum
Reason, any measurement to quantized system all can produce interference to system, i.e., will be right when there is attacker to attempt to eavesdrop quantum key
Key has an impact so that key changes, accordingly even when attacker obtains the original cipher key used in encryption data, also can not
Intercepted and captured data are decrypted using original cipher key.Simultaneously as key is changed, the both sides in session can not also use former close
The data of key decrypted transport, then both sides will know to have attacker to attempt to eavesdrop quantum key, so as to take counter-measure in time.
It should be appreciated that the general description and following detailed description of the above are only exemplary and explanatory, not
The application can be limited.In addition, any embodiment in the application and above-mentioned whole effects need not be reached.
Brief description of the drawings
, below will be to embodiment or existing in order to illustrate more clearly of the embodiment of the present application or technical scheme of the prior art
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments described in application, for those of ordinary skill in the art, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is the schematic flow sheet of the VPN terminal key distribution method of the application;
Fig. 2 is the schematic flow sheet of the VPN terminal message encryption method of the application;
Fig. 3 is the schematic flow sheet of the VPN terminal message decryption method of the application;
Fig. 4 is the structural representation of the VPN terminal key dispensing device of the application;
Fig. 5 is the structural representation of the VPN terminal message encryption device of the application;
Fig. 6 is the structural representation of the VPN terminal message decryption device of the application.
Embodiment
In order that those skilled in the art more fully understand the technical scheme in the application, implement below in conjunction with the application
Accompanying drawing in example, the technical scheme in the embodiment of the present application is described in detail, it is clear that described embodiment is only
Some embodiments of the present application, rather than whole embodiments.Based on the embodiment in the application, those of ordinary skill in the art
The every other embodiment obtained, it should all belong to the scope of the application protection.
VPN, can be by enterprise or the branch of mechanism medium-long range by establishing dedicated data transmission passage in the public network
Office, business parnter and mobile office personnel etc. connect, there is provided safe data transfer end to end.The application is implemented
VPN terminal in example, can be computer, router and server for forming VPN etc., the terminal can apply KMS
The key of (Key Management Service, cipher key management services) system distribution.
In the KMS systems of the embodiment of the present application key distribution, be by QKD ((Quantum Key Distribution,
Quantum key distribution) system realization, the quantum key that terminal will be distributed using QKD system is, it is necessary to be linked into quantum network, amount
Sub-network can be the unique ID of terminal distribution of each access.
Shown in Fig. 1, it is a kind of schematic flow sheet of VPN terminal key distribution method of the application, can specifically includes
Following steps:
S101, receive and asked by the conversation establishing for actively creating terminal transmission;
When accessing another terminal transmission data in a certain terminal needs and network of quantum network, it is necessary first to create meeting
Words, so as to establish data transmission channel, transmission uses the number after quantum key encryption by two terminal associations in the same session
According to.Therefore, KMS will be firstly received the conversation establishing request for needing the terminal for creating session to send.
S102, asked according to the conversation establishing, session wound is sent with the passive terminal that creates to the terminal that actively creates
Notice is built, the passive terminal iidentification created during terminal is asked by the conversation establishing is specified, the passive establishment terminal wound
The session built is same session with the session for actively creating terminal establishment;
In order to which which terminal the distant terminal illustrated to KMS in session is specially, the terminal that actively creates of session is sent out to KMS
, it is necessary to the mark including specific terminal can be specified in the conversation establishing request sent.Terminal iidentifications of the KMS in request, to
Terminal and the passive establishment terminal specified actively are created, sends the notice for allowing to create session.
Wherein, the terminal iidentification in conversation establishing request, can be the conventional mark such as IP address, MAC Address of terminal,
Can also be ID of the quantum network for the terminal distribution of access, in a word, it is possible to achieve specify the primary demand of specific terminal.
S103, it is described actively create terminal and it is described it is passive create after terminal completes conversation establishing, it is described receiving
In the case of the quantum key application for actively creating terminal, distribute phase with the passive terminal that creates for the terminal that actively creates
Same quantum key block.
After two terminals receive the notice that KMS is sent, same session will be created, after the completion of conversation establishing, two ends
End is associated in the same session, can be carried out data transmission.The terminal that actively creates of session will be to KMS quantum keys
Application, after KMS receives application, two terminals into same session send identical quantum key, and two terminals can make
The identical quantum key sent with KMS, the data that encryption, decryption are transmitted in the session of establishment.
It is shown in Figure 2, it is corresponding when terminal carries out data transmission based on above-mentioned VPN terminal key distribution method
VPN terminal message encryption method may comprise steps of:
S201, it is the reception according to default sequence number allocation rule in the case where receiving quantum key block
Quantum key block assigned sequence number, wherein, actively create terminal and the passive sequence number for creating terminal and using in same session
Allocation rule is identical;
After terminal receives the quantum key block that KMS is sent, store it in equipment, can be added afterwards using the key
Secret report text, in order to ensure that two terminals in same session in encryption and decrypted message, can use same key, the two
Terminal, to each key block received, can distribute one-to-one sequence number according to identical rule.
The allocation rule of sequence number can have many kinds, such as:It is incremented by since 1, the key block received is remembered successively
For " key block 1 ", " key block 2 " ..., or a series of numerals are preset, it is sequentially allocated to key block received, etc..Can
With understanding, two terminals in same session, the same key block to receive distributes same sequence number, it is therefore an objective to amount
Subkey block is identified, so as to when encrypting and decrypting identical data, using identical quantum key, therefore application scheme
In theory and specific sequence number allocation rule need not be defined, in actual applications, those skilled in the art can be with
Appropriate rule is chosen according to real needs.
S202, in the case where receiving message and sending request, rule is determined according to default key, determines quantum key
Unit, and the corresponding relation of the quantum key unit and corresponding quantum key block;
Apply to quantum key block and for corresponding to key block distribution after sequence number, you can the report for using key encryption to send
Text.In a practical situation, when the cipher key content in one piece of quantum key that KMS distributes for terminal is more, encryption can not every time
Use the quantum key of a monoblock.
In a kind of embodiment of the application, the quantum key unit used every time can be one piece of quantum key
A part for block, during each encrypted message, a part, and the position collected using offset-lists are taken out from key block, is taken
Used part will not be taken again, then be abandoned after monoblock key was all drawn, and apply for newly close to KMS
Key block.
For example, it is assumed that the length of every piece of quantum key of KMS distributions is 1024 bytes, the quantum that each encrypted message uses
Cipher key unit is 32 bytes.When cipher key unit is taken from key block for the first time, 1 to 32 byte of 1024 bytes, skew are taken
Measure as 1;When taking for the second time, 33-64 bytes are taken, offset is that 1+32 is 33 ...
Furthermore, it is possible to after the quantum key unit of the preset length is extracted from the quantum key block received, note
Extraction time is recorded, according to the extraction time and the preset length, the residue length of received quantum key block is calculated, examines
Survey whether calculated residue length is not less than the preset length.
For example, after the 31st time is taken quantum key unit, record takes number as 31, then before the 32nd time is taken, root
Multiply 32 bytes according to 31 times and calculate and take 932 bytes, remaining 32 bytes, so as to judge residue length not less than taking
Length, cipher key unit can be taken from the key block.Similarly, record takes number as 32 times, then is taken at the 33rd time
With preceding, multiply 32 bytes according to 32 times and calculate and taken 1024 bytes, residue length 0, then need to abandon the key block,
Apply for new quantum key block to KMS.
Obviously, the quantum key unit used during each encrypted message can also be one piece of quantum key, it might even be possible to be
It is spliced by polylith quantum key.It is understood that no matter quantum key unit be by quantum key block in what manner
Generation, corresponding relation is certainly existed between the two, it is necessary to during decrypted message, you can according to used in corresponding relation determines decryption
Quantum key unit.
S203, by the corresponding relation and, the sequence number of quantum key block corresponding to the quantum key unit and this end
The mark at end, added in the message;
As previously described, it is necessary to during encrypted message, the corresponding relation of sequence number, cipher key unit and key block is passed sequentially through,
It is determined that the encryption cipher key unit to be used, therefore, it is necessary to sequence number and corresponding relation are added to the report for being sent to distant terminal
Wen Zhong, during so as to distant terminal decrypted message, it is determined that the cipher key unit needed to use.
Simultaneously as a terminal may be associated in multiple sessions simultaneously, and two terminals use in each session
Identical sequence number allocation rule, may be also identical with rule used in the terminal in other sessions, whole for the ease of other side
End determines the source of encrypted message, and the mark of this terminal can also be also added in the message of transmission.
In a kind of embodiment of the present invention, a word can be increased in the IP agreement head of the message of transmission
Section, for adding the identifying of this terminal, the sequence number of used key block, cipher key unit and the corresponding relation of key block.
In addition, if the terminal iidentification used is quantum network be access terminal distribution ID, for key block point
During with sequence number, sequence number can together be preserved with ID, obtained when conveniently needing.
S204, using the quantum key unit, encrypt the message.
It is determined that quantum key unit used in encryption, and after the information of cipher key unit, you can using quantum key to hair
Payload in the message sent is encrypted, and the application is not limited specific encryption method.
It is shown in Figure 3, it is corresponding when terminal carries out data transmission based on above-mentioned VPN terminal key distribution method
VPN terminal message decryption method may comprise steps of:
S301, it is the reception according to default sequence number allocation rule in the case where receiving quantum key block
Quantum key block assigned sequence number, wherein, actively create terminal and the passive sequence number for creating terminal and using in same session
Allocation rule is identical;
After terminal receives the quantum key block that KMS is sent, store it in equipment, the key solution can be used afterwards
Secret report text, as previously described, in order to ensure that two terminals in same session in encryption and decrypted message, can use same
Key, the two terminals, to each key block received, can distribute one-to-one sequence number according to identical rule,
Application scheme is not limited specific allocation rule.
S302, in the case where receiving encrypted message, the received message of parsing, obtain terminal iidentification, quantum key
The corresponding relation of block sequence number and quantum key unit and corresponding quantum key block;
, it is necessary to which message is decrypted after message when the encryption that the distant terminal received in same session is sent,
In order to determine specifically used quantum key unit, it is necessary to parse received message, distant terminal addition is obtained in messages
The identifying of distant terminal, the corresponding relation of the sequence number of used key block, cipher key unit and key block.
If distant terminal is that a field is added in the IP agreement head of the message of transmission, for adding this terminal
Identify, the corresponding relation of the sequence number of used key block, cipher key unit and key block, then parse received message
IP agreement head, you can obtain terminal iidentification, quantum key block sequence number and quantum key unit in preset field and institute is right
The corresponding relation for the quantum key block answered.
S303, according to the terminal iidentification, sequence number and corresponding relation being resolved to, search quantum key unit;
According to the terminal iidentification and sequence number being resolved to, quantum key block is searched, according to the corresponding relation being resolved to, in institute
Quantum key unit is searched in the quantum key block found.
For example, can be according to the terminal iidentification being resolved to, it is determined that specific distant terminal, and according to the sequence being resolved to
Number, the quantum key block used during distant terminal encryption is found, is existed if the corresponding relation being resolved to is quantum key unit
Offset in quantum key block, such as 64, then after 64 bytes being offset in quantum key block, the key of 65 to 96 bytes is to add
The cipher key unit taken when close.
S304, use found quantum key unit, the received message of decryption.
Use the quantum key unit found, you can decrypt the message for the encryption that distant terminal is sent, the application couple
Specific decryption method does not limit.
It can be seen that phase can be applied for KMS, it is necessary to after two terminal associations carried out data transmission using application scheme
With quantum key block, and when to data encryption and decryption, using identical quantum key unit, based on quantum key not
Can cloning mechanisms, realize the safe transmissions of data.
Corresponding to above method embodiment, the application also provides a kind of VPN terminal key dispensing device, referring to Fig. 4
Shown, the device can include:
Request receiving module 110, asked for receiving by the conversation establishing for actively creating terminal transmission;
Sending module 120 is notified, for being asked according to the conversation establishing, is created to the terminal that actively creates with passive
Terminal sends conversation establishing notice, and the passive terminal iidentification created during terminal is asked by the conversation establishing is specified, described
The passive session for creating terminal establishment is same session with the session for actively creating terminal establishment;
Key distribution module 130, for actively creating terminal and the passive establishment terminal completion conversation establishing described
Afterwards, in the case where receiving the quantum key application for actively creating terminal, terminal and the quilt are actively created to be described
It is dynamic to create terminal distribution identical quantum key block.
The application also provides a kind of VPN terminal message encryption device based on above-mentioned key, shown in Figure 5, should
Device can include:
Sequence number distribute module 210, in the case where receiving quantum key block, being distributed according to default sequence number
Rule, it is the quantum key block assigned sequence number of the reception, wherein, the terminal that actively creates in same session creates with passive
The sequence number allocation rule that terminal uses is identical;
Key determining module 220, in the case where receiving message and sending request, determining to advise according to default key
Then, quantum key unit, and the corresponding relation of the quantum key unit and corresponding quantum key block are determined;
Information add module 230, for by quantum key block corresponding to the corresponding relation, the quantum key unit
The mark of sequence number and this terminal, added in the message;
Message encryption module 240, for using the quantum key unit, encrypt the message.
In a kind of embodiment of the application, key determining module 220 specifically can be used for:
In the case where receiving message and sending request, the residue length of the received quantum key block of detection, if no
Less than preset length;
In the case where the residue length is not less than the preset length, from the quantum key block received, extraction
The quantum key unit of the preset length;
Offset of the extracted quantum key unit in the quantum key block received is determined, the offset is institute
The corresponding relation of the quantum key unit of extraction and the quantum key block received.
In a kind of embodiment of the application, key determining module 220 specifically can be also used for:
In the case where the residue length is less than the preset length, quantum key application.
In a kind of embodiment of the application, information add module 230 specifically can be used for:
By the sequence number of quantum key block and the mark of this terminal corresponding to the corresponding relation, the quantum key unit
Know, added in the preset field on the IP agreement head of the message.
The application also provides a kind of VPN terminal message decryption device based on above-mentioned key, shown in Figure 6, should
Device can include:
Sequence number distribute module 310, in the case where receiving quantum key block, being distributed according to default sequence number
Rule, it is the quantum key block assigned sequence number of the reception, wherein, the terminal that actively creates in same session creates with passive
The sequence number allocation rule that terminal uses is identical;
Packet parsing module 320, in the case where receiving encrypted message, the received message of parsing, obtaining end
The corresponding relation of end mark, quantum key block sequence number and quantum key unit and corresponding quantum key block;
Cipher key lookup module 330, for according to terminal iidentification, sequence number and the corresponding relation being resolved to, it is close to search quantum
Key unit;
Message deciphering module 340, for using found quantum key unit, the received message of decryption.
In a kind of embodiment of the application, packet parsing module 320 specifically can be used for:
In the case where receiving encrypted message, the IP agreement head of received packet is parsed, is obtained in preset field
The corresponding relation of terminal iidentification, quantum key block sequence number and quantum key unit and corresponding quantum key block.
The function of modules and the implementation process of effect specifically refer to and step are corresponded in the above method in said apparatus
Implementation process, it will not be repeated here.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
Realized by the mode of software plus required general hardware platform.Based on such understanding, the technical scheme essence of the application
On the part that is contributed in other words to prior art can be embodied in the form of software product, the computer software product
It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are causing a computer equipment
(can be personal computer, server, either network equipment etc.) performs some of each embodiment of the application or embodiment
Method described in part.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device or
For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method
The part explanation of embodiment.Device or system embodiment described above is only schematical, wherein the conduct
The module that separating component illustrates can be or may not be it is physically separate, can be each when implementing application scheme
The function of module is realized in same or multiple softwares and/or hardware.Portion therein can also be selected according to the actual needs
Point or whole modules realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creative work
In the case of, you can to understand and implement.
Described above is only the embodiment of the application, it is noted that for the ordinary skill people of the art
For member, on the premise of the application principle is not departed from, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as the protection domain of the application.
Claims (10)
1. a kind of VPN terminal key distribution method, it is characterised in that methods described includes:
Receive and asked by the conversation establishing for actively creating terminal transmission;
Asked according to the conversation establishing, conversation establishing notice, institute are sent with the passive terminal that creates to the terminal that actively creates
The passive terminal iidentification created during terminal is asked by the conversation establishing is stated to specify, it is described it is passive create session that terminal creates with
The session for actively creating terminal establishment is same session;
It is described actively create terminal and it is described it is passive create after terminal completes conversation establishing, created eventually receiving the active
In the case of the quantum key application at end, terminal is actively created and the passive establishment terminal distribution identical quantum is close to be described
Key block.
A kind of 2. VPN terminal message encryption method based on claim 1 methods described, it is characterised in that methods described
Including:
In the case where receiving quantum key block, according to default sequence number allocation rule, for the quantum key of the reception
Block assigned sequence number, wherein, actively create terminal and the passive sequence number allocation rule for creating terminal and using in same session
It is identical;
In the case where receiving message and sending request, rule is determined according to default key, determines quantum key unit, and institute
State the corresponding relation of quantum key unit and corresponding quantum key block;
By the sequence number of quantum key block and the mark of this terminal corresponding to the corresponding relation, the quantum key unit, add
Add in the message;
Using the quantum key unit, the message is encrypted.
3. according to the method for claim 2, it is characterised in that described in the case where receiving message and sending request, root
Rule is determined according to default key, determines quantum key unit, and the quantum key unit and corresponding quantum key block
Corresponding relation, including:
In the case where receiving message and sending request, the residue length of the received quantum key block of detection, if be not less than
Preset length;
In the case where the residue length is not less than the preset length, from the quantum key block received, described in extraction
The quantum key unit of preset length;
Offset of the extracted quantum key unit in the quantum key block received is determined, the offset is is extracted
Quantum key unit and the corresponding relation of quantum key block that is received.
4. according to the method for claim 3, it is characterised in that methods described also includes:
In the case where the residue length is less than the preset length, quantum key application.
5. according to the method for claim 2, it is characterised in that described by the corresponding relation, the quantum key unit
The sequence number of corresponding quantum key block and the mark of this terminal, added in the message, including:
By the sequence number of quantum key block and the mark of this terminal corresponding to the corresponding relation, the quantum key unit, add
Add in the preset field on IP agreement head of the message.
A kind of 6. VPN terminal message decryption method based on claim 1 methods described, it is characterised in that methods described
Including:
In the case where receiving quantum key block, according to default sequence number allocation rule, for the quantum key of the reception
Block assigned sequence number, wherein, actively create terminal and the passive sequence number allocation rule for creating terminal and using in same session
It is identical;
In the case where receiving encrypted message, the received message of parsing, obtain terminal iidentification, quantum key block sequence number,
And the corresponding relation of quantum key unit and corresponding quantum key block;
According to the terminal iidentification, sequence number and corresponding relation being resolved to, quantum key unit is searched;
Use found quantum key unit, the received message of decryption.
7. according to the method for claim 6, it is characterised in that it is described in the case where receiving encrypted message, parse institute
The message of reception, obtain terminal iidentification, quantum key block sequence number and quantum key unit and corresponding quantum key block
Corresponding relation, including:
In the case where receiving encrypted message, the IP agreement head of received packet is parsed, obtains the terminal in preset field
The corresponding relation of mark, quantum key block sequence number and quantum key unit and corresponding quantum key block.
8. a kind of VPN terminal key dispensing device, it is characterised in that described device includes:
Request receiving module, asked for receiving by the conversation establishing for actively creating terminal transmission;
Sending module is notified, for being asked according to the conversation establishing, terminal hair is created with passive to the terminal that actively creates
Conversation establishing is sent to notify, the passive terminal iidentification created during terminal is asked by the conversation establishing is specified, the passive wound
The session and the session for actively creating terminal establishment for building terminal establishment are same session;
Key distribution module, for it is described actively create terminal and it is described it is passive create after terminal completes conversation establishing, connecing
In the case of receiving the quantum key application for actively creating terminal, passively created eventually with described for the terminal that actively creates
End distribution identical quantum key block.
A kind of 9. VPN terminal message encryption device based on claim 8 described device, it is characterised in that described device
Including:
Sequence number distribute module, in the case where receiving quantum key block, according to default sequence number allocation rule, being
The quantum key block assigned sequence number of the reception, wherein, the terminal that actively creates in same session is adopted with the passive terminal that creates
Sequence number allocation rule is identical;
Key determining module, in the case where receiving message and sending request, rule to be determined according to default key, it is determined that
Quantum key unit, and the corresponding relation of the quantum key unit and corresponding quantum key block;
Information add module, for by the sequence number of quantum key block corresponding to the corresponding relation, the quantum key unit,
And the mark of this terminal, added in the message;
Message encryption module, for using the quantum key unit, encrypt the message.
A kind of 10. VPN terminal message decryption device based on claim 8 described device, it is characterised in that described device
Including:
Sequence number distribute module, in the case where receiving quantum key block, according to default sequence number allocation rule, being
The quantum key block assigned sequence number of the reception, wherein, the terminal that actively creates in same session is adopted with the passive terminal that creates
Sequence number allocation rule is identical;
Packet parsing module, in the case where receiving encrypted message, the received message of parsing, obtain terminal iidentification,
The corresponding relation of quantum key block sequence number and quantum key unit and corresponding quantum key block;
Cipher key lookup module, for according to terminal iidentification, sequence number and the corresponding relation being resolved to, searching quantum key unit;
Message deciphering module, for using found quantum key unit, the received message of decryption.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710827200.8A CN107483197B (en) | 2017-09-14 | 2017-09-14 | VPN network terminal key distribution method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710827200.8A CN107483197B (en) | 2017-09-14 | 2017-09-14 | VPN network terminal key distribution method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107483197A true CN107483197A (en) | 2017-12-15 |
| CN107483197B CN107483197B (en) | 2020-02-11 |
Family
ID=60584342
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710827200.8A Active CN107483197B (en) | 2017-09-14 | 2017-09-14 | VPN network terminal key distribution method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107483197B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110048833A (en) * | 2019-03-04 | 2019-07-23 | 全球能源互联网研究院有限公司 | Power business encryption method and device based on quantum satellite key network |
| CN110190952A (en) * | 2019-05-09 | 2019-08-30 | 浙江神州量子通信技术有限公司 | It is a kind of based on quantum random number to the encrypted transmission method of Internet of Things safety |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050063547A1 (en) * | 2003-09-19 | 2005-03-24 | Audrius Berzanskis | Standards-compliant encryption with QKD |
| CN201830272U (en) * | 2010-09-17 | 2011-05-11 | 安徽问天量子科技股份有限公司 | Network encryption machine based on quantum keys |
| CN102210121A (en) * | 2008-09-10 | 2011-10-05 | 马来西亚微电子系统有限公司 | Method of integrating quantum key distribution with internet key exchange protocol |
| CN103490891A (en) * | 2013-08-23 | 2014-01-01 | 中国科学技术大学 | Method for updating and using secret key in power grid SSL VPN |
| CN104618387A (en) * | 2015-02-14 | 2015-05-13 | 安徽量子通信技术有限公司 | Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system |
| CN104660602A (en) * | 2015-02-14 | 2015-05-27 | 山东量子科学技术研究院有限公司 | Quantum key transmission control method and system |
| CN107040378A (en) * | 2017-06-01 | 2017-08-11 | 浙江九州量子信息技术股份有限公司 | A kind of key dispatching system and method based on Multi-user Remote Communication |
| CN107086907A (en) * | 2016-02-15 | 2017-08-22 | 阿里巴巴集团控股有限公司 | Key synchronization, encapsulation transmission method and device for quantum key distribution process |
-
2017
- 2017-09-14 CN CN201710827200.8A patent/CN107483197B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050063547A1 (en) * | 2003-09-19 | 2005-03-24 | Audrius Berzanskis | Standards-compliant encryption with QKD |
| CN102210121A (en) * | 2008-09-10 | 2011-10-05 | 马来西亚微电子系统有限公司 | Method of integrating quantum key distribution with internet key exchange protocol |
| CN201830272U (en) * | 2010-09-17 | 2011-05-11 | 安徽问天量子科技股份有限公司 | Network encryption machine based on quantum keys |
| CN103490891A (en) * | 2013-08-23 | 2014-01-01 | 中国科学技术大学 | Method for updating and using secret key in power grid SSL VPN |
| CN104618387A (en) * | 2015-02-14 | 2015-05-13 | 安徽量子通信技术有限公司 | Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system |
| CN104660602A (en) * | 2015-02-14 | 2015-05-27 | 山东量子科学技术研究院有限公司 | Quantum key transmission control method and system |
| CN107086907A (en) * | 2016-02-15 | 2017-08-22 | 阿里巴巴集团控股有限公司 | Key synchronization, encapsulation transmission method and device for quantum key distribution process |
| CN107040378A (en) * | 2017-06-01 | 2017-08-11 | 浙江九州量子信息技术股份有限公司 | A kind of key dispatching system and method based on Multi-user Remote Communication |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110048833A (en) * | 2019-03-04 | 2019-07-23 | 全球能源互联网研究院有限公司 | Power business encryption method and device based on quantum satellite key network |
| CN110048833B (en) * | 2019-03-04 | 2021-10-29 | 全球能源互联网研究院有限公司 | Electric power service encryption method and device based on quantum satellite key network |
| CN110190952A (en) * | 2019-05-09 | 2019-08-30 | 浙江神州量子通信技术有限公司 | It is a kind of based on quantum random number to the encrypted transmission method of Internet of Things safety |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107483197B (en) | 2020-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3816337B2 (en) | Security methods for transmission in telecommunications networks | |
| WO2017185999A1 (en) | Method, apparatus and system for encryption key distribution and authentication | |
| US8503681B1 (en) | Method and system to securely transport data encryption keys | |
| WO2017185692A1 (en) | Key distribution and authentication method, apparatus and system | |
| CN101971559A (en) | Method and apparatus to enable lawful intercept of encrypted traffic | |
| CN102202299A (en) | Realization method of end-to-end voice encryption system based on 3G/B3G | |
| CN103986723B (en) | A kind of secret communication control, secret communication method and device | |
| CN101183935A (en) | Cipher key negotiation method, device and system of RTP packet | |
| CN102106135A (en) | Sending media data via an intermediate node | |
| CN111835997B (en) | Cloud video conference system based on quantum key encryption and decryption method thereof | |
| CN101790160A (en) | Method and device for safely consulting session key | |
| CN110855438A (en) | Quantum key distribution method and system based on annular QKD network | |
| CN102264068B (en) | Shared key consultation method, system, network platform and terminal | |
| CN102905199B (en) | A kind of multicast service realizing method and equipment thereof | |
| CN100571133C (en) | The implementation method of media flow security transmission | |
| CN108353279A (en) | A kind of authentication method and Verification System | |
| CN103997405B (en) | A kind of key generation method and device | |
| CN109981271B (en) | Network multimedia safety protection encryption method | |
| US20100034384A1 (en) | Method for providing a symmetric key for protecting a key management protocol | |
| CN107483197A (en) | A kind of VPN terminal key distribution method and device | |
| CN101729536B (en) | Method and system for transmitting delayed media information of IP multimedia subsystem | |
| CN106209384B (en) | Use the client terminal of security mechanism and the communication authentication method of charging unit | |
| CN101222324B (en) | Method and apparatus for implementing end-to-end media stream safety | |
| WO2012165901A2 (en) | Method for inter-terminal security channelization | |
| KR100582409B1 (en) | Method for creating Encryption Key in Wireless LAN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210615 Address after: 310051 05, room A, 11 floor, Chung Cai mansion, 68 Tong Xing Road, Binjiang District, Hangzhou, Zhejiang. Patentee after: Hangzhou Dip Information Technology Co.,Ltd. Address before: 6 / F, Zhongcai building, 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Hangzhou DPtech Technologies Co.,Ltd. |