CN107659400A - A kind of quantum secret communication method and device based on mark identification - Google Patents

A kind of quantum secret communication method and device based on mark identification Download PDF

Info

Publication number
CN107659400A
CN107659400A CN201710910878.2A CN201710910878A CN107659400A CN 107659400 A CN107659400 A CN 107659400A CN 201710910878 A CN201710910878 A CN 201710910878A CN 107659400 A CN107659400 A CN 107659400A
Authority
CN
China
Prior art keywords
data flow
mode
encryption
quantum
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710910878.2A
Other languages
Chinese (zh)
Other versions
CN107659400B (en
Inventor
陈四雄
林建喜
兰碧玉
张江源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhangzhou Kehua Technology Co Ltd
Kehua Data Co Ltd
Original Assignee
Xiamen Kehua Hengsheng Co Ltd
Zhangzhou Kehua Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Kehua Hengsheng Co Ltd, Zhangzhou Kehua Technology Co Ltd filed Critical Xiamen Kehua Hengsheng Co Ltd
Priority to CN201710910878.2A priority Critical patent/CN107659400B/en
Publication of CN107659400A publication Critical patent/CN107659400A/en
Application granted granted Critical
Publication of CN107659400B publication Critical patent/CN107659400B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography

Abstract

The invention discloses a kind of quantum secret communication method based on mark identification, applied to the quantum application gateway for being deployed in network exit, this method comprises the following steps:Obtain data flow waiting for transmission;The encryption mark carried to data flow is identified, it is determined that the actual treatment mode used to data flow;Respective handling is carried out to data stream using actual treatment mode, wherein, when actual treatment mode is quantum cryptography mode, quantum cryptography processing is carried out to data stream;Data flow after processing is sent to recipient.The method provided using the embodiment of the present invention, quantum key effective rate of utilization can be improved, save quantum secret communication network resource, reduce network cost.The invention also discloses a kind of quantum secret communication device based on mark identification, there is relevant art effect.

Description

A kind of quantum secret communication method and device based on mark identification
Technical field
The present invention relates to communication technical field, more particularly to a kind of quantum secret communication method based on mark identification and Device.
Background technology
With the raising of the degree of concern to data safety, various private communication technologies are gradually sent out in data transmission procedure Exhibition is got up.Technique on Quantum Communication is the communication security techniques that security obtains Strict Proof.In data transmission procedure, utilization The sub- communication technology carries out quantum cryptography processing to data flow waiting for transmission, will greatly improve the transmission security of data flow.
But by technology restriction, the quantum key of quantum secret communication is relatively low into code check, and quantum key generate equipment into This is higher.Under high bandwidth, big flow, the network environment applied more, consideration is arranged net cost, can not be to quantum secret communication network Carry out scale dilatation.In actual applications, sender not has very high demand for security to all data flows.It is if right All data flows waiting for transmission all carry out quantum cryptography processing, then will be unable to ensure quantum key multiplexing security, quantum key Effective rate of utilization is relatively low, and the quantum secret communication network resource of consuming is more, and network cost is higher.
The content of the invention
It is an object of the invention to provide a kind of quantum secret communication method and device based on mark identification, to improve quantum Key effective rate of utilization, quantum secret communication network resource is saved, reduce network cost.
In order to solve the above technical problems, the present invention provides following technical scheme:
A kind of quantum secret communication method based on mark identification, applied to the quantum application net for being deployed in network exit Close, including:
Obtain data flow waiting for transmission;
The encryption mark carried to the data flow is identified, it is determined that the actual treatment used to the data flow Mode;
Respective handling is carried out to the data flow using the actual treatment mode, wherein, in the actual treatment mode For quantum cryptography mode when, to the data flow carry out quantum cryptography processing;
The data flow after processing is sent to recipient.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender Part adds the mark in the data flow based on the first processing mode that user selects;
The encryption mark carried to the data flow is identified, it is determined that the reality used to the data flow Processing mode, including:
The encryption mark carried to the data flow is identified, and determines first processing that the user specifies Mode;
If first processing mode is quantum cryptography mode, it is determined that the actual treatment side used to the data flow Formula is quantum cryptography mode;
If the first processing mode non-quantum cipher mode, transferring the first encryption policy storehouse being obtained ahead of time, according to According to the encryption policy and first processing mode recorded in the first encryption policy storehouse, it is determined that the data flow is used Actual treatment mode.
It is described according to the encryption plan recorded in the first encryption policy storehouse in a kind of embodiment of the present invention Summary and first processing mode, it is determined that the actual treatment mode used to the data flow, including:
According to the attribute of the data flow, lookup is corresponding with the attribute in the first encryption policy storehouse encrypts plan Slightly;
If find, it is determined that second processing mode corresponding to the encryption policy found;
According to the safe class of first processing mode and the safe class of the second processing mode, it is determined that to described The actual treatment mode that data flow uses.
In a kind of embodiment of the present invention, the safe class according to first processing mode and described The safe class of second processing mode, it is determined that the actual treatment mode used to the data flow, including:
If the safe class of first processing mode is greater than or equal to the safe class of the second processing mode, The actual treatment mode that first processing mode is defined as using the data flow;
If the safe class of first processing mode is less than the safe class of the second processing mode, by described in Second processing mode is defined as the actual treatment mode used to the data flow.
In a kind of embodiment of the present invention, do not found in the first encryption policy storehouse and the attribute During corresponding encryption policy, in addition to:
First processing mode is directly defined as to the actual treatment mode used to the data flow.
In a kind of embodiment of the present invention, in addition to:
Obtain user encryption behavioral data;
According to the user encryption behavioral data, the encryption policy recorded in the first encryption policy storehouse is updated.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender Encryption policy in first processing mode of part combination user selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to institute State the mark of the actual treatment mode of data flow use.
A kind of quantum secret communication device based on mark identification, applied to the quantum application net for being deployed in network exit Close, including:
Data flow obtaining unit, for obtaining data flow waiting for transmission;
Actual treatment mode determining unit, the encryption mark for being carried to the data flow are identified, it is determined that The actual treatment mode used to the data flow;
Processing unit, for carrying out respective handling to the data flow using the actual treatment mode, wherein, described When actual treatment mode is quantum cryptography mode, quantum cryptography processing is carried out to the data flow;
Data flow transmitting element, for the data flow after processing to be sent into recipient.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender Part adds the mark in the data flow based on the first processing mode that user selects;
The actual treatment mode determining unit, is specifically used for:
The encryption mark carried to the data flow is identified, and determines first processing that the user specifies Mode;
If first processing mode is quantum cryptography mode, it is determined that the actual treatment side used to the data flow Formula is quantum cryptography mode;
If the first processing mode non-quantum cipher mode, transferring the first encryption policy storehouse being obtained ahead of time, according to According to the encryption policy and first processing mode recorded in the first encryption policy storehouse, it is determined that the data flow is used Actual treatment mode.
In a kind of embodiment of the present invention, the encryption is identified as:It is deployed in the mark part of sender Encryption policy in first processing mode of part combination user selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to institute State the mark of the actual treatment mode of data flow use.
The technical scheme provided using the embodiment of the present invention, the quantum application gateway for being deployed in network exit are treated After the data flow of transmission, the encryption mark carried to data flow is identified, it is determined that the actual treatment used to data flow Mode, and respective handling is carried out to data stream, wherein, when actual treatment mode is quantum cryptography mode, data stream is carried out Quantum cryptography processing, recipient is sent to by the data flow after processing.The Control granularity to data flow identification, guaranteed discharge are refined Sub- secret communication is specific data stream service, and on the premise of meeting user to the sub- encryption requirements of data traffic, it is close to improve quantum Key effective rate of utilization, quantum secret communication network resource is saved, reduces network cost.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can be with Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is quantum secret communication system topological diagram in the embodiment of the present invention;
Fig. 2 is a kind of implementing procedure figure of the quantum secret communication method based on mark identification in the embodiment of the present invention;
Fig. 3 is a kind of structural representation of mark component in the embodiment of the present invention;
Fig. 4 is the structural representation of quantum application gateway corresponding with Fig. 3;
Fig. 5 is a kind of structural representation of the quantum secret communication device based on mark identification in the embodiment of the present invention;
Fig. 6 is another implementing procedure figure of the quantum secret communication method based on mark identification in the embodiment of the present invention;
Fig. 7 is the structural representation of another mark component in the embodiment of the present invention;
Fig. 8 is the structural representation of quantum application gateway corresponding with Fig. 7.
Embodiment
The core of the present invention is to provide a kind of quantum secret communication method based on mark identification, and this method can apply to It is deployed in the quantum application gateway of network exit.
As shown in figure 1, A ends are transmitting terminal, B ends are receiving terminal.
At A ends, multiple client is connected by convergence switch and core switch with quantum application gateway, and server leads to Cross core switch to be connected with quantum application gateway, be also connected by core switch and convergence switch with client, quantum Application gateway is also connected with fire wall.Mark component is deployed with client and server.
The sender such as client or server is carried out not according to encryption requirements of user etc. by mark component to data stream With the encryption configuration of safe class.Data flow through the network device processings such as interchanger, router, reach quantum application gateway.Amount Sub- application gateway determines the actual treatment mode to data flow, and carries out respective handling, and the data flow after processing is passed through into fire prevention Wall is via recipient of the Internet transmission to B ends.
B ends have corresponding framework, and the quantum application gateway at B ends receives the data flow transmitted via fire wall, carries out Corresponding decryption processing, is transmitted to relative client.
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
A kind of quantum secret communication method based on mark identification shown in Figure 2, being provided by the embodiment of the present invention Implementing procedure figure, this method may comprise steps of:
S110:Obtain data flow waiting for transmission.
In embodiments of the present invention, client and server can be used as sending direction recipient to send data flow.Send Data flow waiting for transmission is sent to quantum application gateway by side, after carrying out respective handling by quantum application gateway, is transferred to and is connect Debit.
After quantum application gateway obtains data flow waiting for transmission, step S120 operation can be continued executing with.
S120:The encryption mark carried to data flow is identified, it is determined that the actual treatment side used to data flow Formula.
In embodiments of the present invention, encryption mark can be carried in data flow waiting for transmission, quantum application gateway obtains After obtaining data flow waiting for transmission, the encryption mark carried in data flow can be identified, it is determined that being used to data flow Actual treatment mode.
In one embodiment of the invention, encryption mark can be:The mark component for being deployed in sender is based on The mark of the first processing mode addition of user's selection in a stream, accordingly, as shown in fig. 6, step S120 can include Following steps:
S121:The encryption mark carried to data flow is identified, and determines the first processing mode that user specifies.
In embodiments of the present invention, mark component can be disposed in client and server.When client or server etc. , can be according to actual conditions, by mark component in data flow waiting for transmission when sender needs to send data flow to recipient Middle addition encryption mark, data flow so waiting for transmission will carry encryption mark.
As shown in figure 3, mark component can specifically include first user's selecting module and the first mark module.User can be with Specify which kind of processing mode is used to data flow waiting for transmission according to being actually needed, specifically, can be selected by the first user Select module selection quantum cryptography, conventional cryptography, the processing mode for the different safety class such as not encrypting, the first mark module is according to the The processing mode of one user's selecting module output adds corresponding encryption mark in data flow waiting for transmission.Such as encrypt place Reason is identified as quantum cryptography mark, and mark match parameter can include:Process name, user name, IP address, IP ports, it is local when Between etc..
The mark component of server can to client data stream carry out identification record, its send data flow waiting for transmission it Before, corresponding safe class can be matched according to the record result to client data stream, in a stream the corresponding encryption of addition Processing mark.
After quantum application gateway obtains data flow waiting for transmission, the encryption mark carried to data flow is identified, The first processing mode that user specifies can be determined.
When encryption is identified as not encryption identification, or data flow waiting for transmission does not carry any encryption mark When, it may be determined that the first processing mode that user specifies is not cipher mode;
When encryption is identified as quantum cryptography mark, it may be determined that the first processing mode that user specifies adds for quantum Close mode;
When encryption is identified as conventional cryptography mark, it may be determined that the first processing mode that user specifies adds for tradition Close mode.
Wherein, quantum communications have higher security, and the safe class of quantum cryptography mode is higher than conventional cryptography side The safe class of formula, equally, the safe class of quantum cryptography mode and conventional cryptography mode are above the safety of not cipher mode Grade.
S122:If the first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to data flow For quantum cryptography mode.
In actual applications, if user requires very high to the transmission security of data flow waiting for transmission, user can select It is the first processing mode to select quantum cryptography mode.It is deployed in the first processing side that the mark component of sender is selected based on user Formula, quantum encryption identification can be added in data flow waiting for transmission.Quantum application gateway identifies according to quantum cryptography, can be true It is quantum cryptography mode to determine the first processing mode that user specifies, and shows that data flow clearly waiting for transmission needs to carry out user The other processing of higher security level, so as to directly determine to add the actual treatment mode that data flow waiting for transmission uses for quantum Close mode.
S123:If the first processing mode non-quantum cipher mode, transferring the first encryption policy storehouse being obtained ahead of time, according to According to the encryption policy and the first processing mode recorded in the first encryption policy storehouse, it is determined that the actual treatment side used to data flow Formula.
A first encryption policy storehouse can be obtained ahead of time in quantum application gateway, and record has one in the first encryption policy storehouse Bar or a plurality of encryption policy for data flow.In actual applications, network manager can add manually for specific user, During time, the encryption policy that the data flow of application program etc. is formulated.Such as submitting a tender, researching and developing, law works, finance, manpower, The encryption policy that the data flow of the information sensing such as management level colony is formulated is quantum cryptography;Supplied for administration, quality, part The encryption policy that the data flows such as chain, part marketing are formulated is conventional cryptography, for the third-party data flow system such as client, supplier Fixed encryption policy is not encrypt.
In embodiments of the present invention, quantum application gateway can obtain user encryption behavioral data, according to user encryption row For data, the encryption policy recorded in the first encryption policy storehouse is updated.For example in setting time section, user can incite somebody to action every time The upper quantum cryptography mark of mail related data flow addition, then according to user encryption behavior, the mail that can be directed to the user is related The encryption policy that data flow is formulated is quantum cryptography.If the mail related data of the recorded user in encryption policy storehouse Encryption policy corresponding to stream is conventional cryptography, then conventional cryptography can be updated into quantum cryptography.
Specifically, quantum application gateway can obtain user encryption by the mark component disposed in client or server Behavioral data.As shown in figure 3, mark component can also include user encryption behavior collection module, mould is collected in user encryption behavior Block collects the mark behavior pattern of mark module, reports quantum application gateway, is analyzed for encryption policy.
If the first processing mode non-quantum cipher mode, the first processing mode may be not cipher mode, Huo Zhewei Conventional cryptography mode.In such a case, it is possible to transfer the first encryption policy storehouse being obtained ahead of time.In the first encryption policy storehouse Search the encryption policy related to data flow.If found, based on the encryption policy found and the first processing mode, really The fixed actual treatment mode used to data flow.
, can be by being recorded in the first encryption policy storehouse of following steps foundation in a kind of embodiment of the present invention Encryption policy and the first processing mode, it is determined that to data flow use actual treatment mode:
Step 1:According to the attribute of data flow, encryption policy corresponding with attribute is searched in the first encryption policy storehouse, such as Fruit finds, then performs the operation of step 2;
Step 2:It is determined that second processing mode corresponding to the encryption policy found;
Step 3:According to the safe class of the first processing mode and the safe class of second processing mode, it is determined that to data Flow the actual treatment mode used.
For ease of description, above three step is combined and illustrated.
Data flow has certain attribute, such as type, corresponding sender, corresponding recipient, the application program belonged to Deng.According to the attribute of data flow, encryption policy corresponding with the attribute can be searched in the first encryption policy storehouse, if searched Arrive, then can determine second processing mode corresponding to the encryption policy that finds.If the encryption policy found have it is a plurality of, Level of security highest processing mode in a plurality of encryption policy found can be defined as to second processing mode, or can be with The same more processing mode of level of security in a plurality of encryption policy found is defined as second processing mode.
According to the safe class of the first processing mode and the safe class of second processing mode, it may be determined that data flow is adopted Actual treatment mode.
In a kind of embodiment of the present invention, if the safe class of the first processing mode is greater than or equal to second The safe class of processing mode, then the first processing mode is defined as to the actual treatment mode used to data flow;If first The safe class of processing mode is less than the safe class of second processing mode, then second processing mode can be defined as to data Flow the actual treatment mode used.
It is understood that Different treatments have different safe classes, and e.g., the safe class of quantum cryptography mode Higher than the safe class of conventional cryptography mode, the safe class of conventional cryptography mode is higher than the safe class of not cipher mode.
To ensure the safe transmission of data flow, the preferential processing mode high using safe class carries out corresponding position to data stream Reason.If the safe class of the first processing mode is greater than the safe class of second processing mode, show that user wishes The security for improving data flow is hoped, the first processing mode can be defined as to the actual treatment mode used to data flow.If The safe class of first processing mode is less than the safe class of second processing mode, show to record in the first encryption policy storehouse with Encryption policy corresponding to the attribute of data flow waiting for transmission has more high safety grade, and this may specify the place of mistake because of user Reason mode or user, which do not know how to specify, to cause, and in this case, is defined in a manner of the second encryption, and second is added Close processing mode is defined as the actual treatment mode used to data flow.The safe transmission of data flow can so be ensured.
The present invention a kind of embodiment in, if do not found in the first encryption policy storehouse with it is waiting for transmission Encryption policy corresponding to the attribute of data flow, then the first processing mode directly can be defined as the actual place to data flow use Reason mode.
In another embodiment of the present invention, encryption mark can be:It is deployed in the mark component knot of sender Encryption policy in the first processing mode for sharing family selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to data flow The mark of the actual treatment mode of use.
In embodiments of the present invention, the first processing side of user's selection can be obtained by being deployed in the mark component of sender Formula, with reference to the encryption policy in the first processing mode that user selects and the second encryption policy storehouse being obtained ahead of time, it may be determined that The actual treatment mode used to data flow, and the mark of the actual treatment mode used to data flow is added in data flow In so that encryption mark is carried in data flow.So, after quantum application gateway obtains data flow waiting for transmission, you can By being identified to the encryption carried in data flow, the actual treatment mode used to data flow is directly determined.
In embodiments of the present invention, as shown in fig. 7, mark component can specifically include second user selecting module, second Mark module, the second encryption judge module and the second encryption policy storehouse.User can according to be actually needed specify will be to be transmitted Data flow which kind of processing mode used, specifically, can by second user selecting module select quantum cryptography, tradition plus Processing mode that is close, the different safety class such as not encrypting.
Second encryption judge module understands the first processing mode of user's selection by second user selecting module.Second adds Close judge module combines the encryption policy recorded in the first processing mode and the second encryption policy storehouse, it may be determined that data flow is adopted Actual treatment mode.Record has one or more encryption policy for being directed to data flow in second encryption policy storehouse.
Such as, if the first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to data flow for Quantum cryptography mode;
If the first processing mode non-quantum cipher mode, searched in the second encryption policy storehouse corresponding with the data flow Encryption policy.If find, it is determined that second processing mode corresponding to the encryption policy found, in the first processing mode Safe class be greater than or equal to second processing mode safe class when, by the first processing mode be defined as to data flow use Actual treatment mode, the first processing mode safe class be less than second processing mode safe class when, at second Reason mode is defined as the actual treatment mode used to data flow.If do not found, directly the first processing mode is determined For the actual treatment mode used to data flow.
After second encryption judge module determines the actual treatment mode to data flow use, the second mark module is according to the reality Border processing mode adds corresponding encryption mark in data flow waiting for transmission.Quantum application gateway obtains number waiting for transmission After stream, you can determine the actual treatment mode used to data flow based on the encryption mark carried in the data flow.
Mark component can obtain user encryption behavioral data, according to user encryption behavioral data, can update second and add The encryption policy recorded in close policy library.
S130:Respective handling is carried out to data stream using actual treatment mode.
Wherein, when actual treatment mode is quantum cryptography mode, quantum cryptography processing is carried out to data stream.
It is determined that after the actual treatment mode used to data flow waiting for transmission, the actual treatment mode, logarithm can be based on Respective handling is carried out according to stream.
If actual processing mode is quantum cryptography mode, then quantum cryptography processing can be carried out to data stream, at actual Reason mode is conventional cryptography mode, then conventional cryptography processing can be carried out to data stream, and such as actual processing mode is the not side of encryption Formula, then not encryption can be done to data flow.
Quantum application gateway carries out quantum cryptography processing to data stream, specifically, quantum secret communication network can be obtained Quantum key caused by QKD (quantum key distribution), the data flow that transmission is treated using quantum key carry out quantum cryptography processing.
S150:Data flow after processing is sent to recipient.
, can be with it is determined that the actual treatment mode used to data flow waiting for transmission, and after carrying out respective handling to data stream Data flow after processing is sent to recipient.Specifically, as shown in figure 1, quantum application gateway can be by data waiting for transmission Stream is sent to recipient by fire wall via internet.
Corresponding to embodiment illustrated in fig. 3, Fig. 4 shows a kind of structure of quantum application gateway, as shown in figure 4, quantum should It can specifically be sentenced with gateway including the first policy management module, the first encryption policy storehouse, the first mark identification module, the first encryption Disconnected module, the first forwarding data flow module, the first quantum cryptography module and the first conventional cryptography module.
Wherein, the encryption policy that the first policy management module can be added manually with receiving network managing person, and/or to client The user encryption behavior that end mark component reports is analyzed, and automatically generates encryption policy, and protected in the first encryption policy storehouse Deposit.
First encryption policy storehouse mainly stores the encryption policy of the first policy management module generation.
First mark identification module can identify the encryption mark carried in data flow waiting for transmission, determine that user refers to The first fixed processing mode, and export to the first encryption judge module.
The result and the first encryption policy storehouse that first encryption judge module can identify according to the first mark identification module Encryption policy judges the actual treatment mode used to data flow.Such as quantum cryptography mode, conventional cryptography mode or the not side of encryption Formula.
First forwarding data flow module can carry out forward process to data flow waiting for transmission, and judge module is encrypted by first It is judged as that the stream compression of quantum cryptography issues the first quantum cryptography module, the first encryption judge module is judged as conventional cryptography Stream compression issue the first conventional cryptography module, and the data flow or the first encryption judge module of respective encrypted processing will be carried out The stream compression for being judged as not encrypting issues next stage equipment, such as fire wall, to carry out data via internet by fire wall The transmission of stream.
First quantum cryptography module can obtain quantum key caused by quantum secret communication network QKD, close using quantum Key carries out encryption to data stream, and passes the data flow after encryption back first forwarding data flow module.
First conventional cryptography module can generate traditional secrete key by technologies such as IKE (the Internet Key Exchange association), use Traditional secrete key carries out encryption to data stream, and passes the data flow after encryption back first forwarding data flow module.
The embodiment of the present invention is the description carried out in data flow sending side angle, can after receiving terminal receives data flow To carry out corresponding decryption processing by quantum application gateway and forward.The embodiment of the present invention repeats no more to this.
Corresponding to embodiment illustrated in fig. 7, Fig. 8 shows a kind of structure of quantum application gateway, as shown in figure 8, quantum should The second policy management module, the second mark identification module, the second forwarding data flow module, the second amount can specifically be included with gateway Sub- encrypting module and the second conventional cryptography module.
Wherein, the second policy management module can obtain network manager add manually specific user, during the time, application The encryption policys such as program, by associated encryption policy distribution to mark component, to be preserved in the second encryption policy storehouse.
Second mark identification module can identify the encryption mark carried in data flow waiting for transmission, it is determined that to data The actual treatment mode of stream, such as quantum cryptography mode, not conventional cryptography mode, cipher mode, and result is exported to second Forwarding data flow module.
Second forwarding data flow module can carry out forward process to data flow waiting for transmission, and identification module is identified by second The stream compression exported as quantum cryptography issues the second quantum cryptography module, is conventional cryptography by the second mark identification module output Stream compression issue the second conventional cryptography module, and the data flow or the second mark identification module of respective encrypted processing will be carried out The stream compression for being defined as not encrypting issues next stage equipment.
Second quantum cryptography module can obtain quantum key caused by quantum secret communication network QKD, close using quantum Key carries out encryption to data stream, and passes the data flow after encryption back second forwarding data flow module.
Second conventional cryptography module can generate traditional secrete key by technologies such as IKE (the Internet Key Exchange association), use Traditional secrete key carries out encryption to data stream, and passes the data flow after encryption back second forwarding data flow module.
The embodiment of the present invention is the description carried out in data flow sending side angle, can after receiving terminal receives data flow To carry out corresponding decryption processing by quantum application gateway and forward.The embodiment of the present invention repeats no more to this.
The method provided using the embodiment of the present invention, the quantum application gateway acquisition for being deployed in network exit are to be transmitted Data flow after, to data flow carry encryption mark be identified, it is determined that to data flow use actual treatment mode, And respective handling is carried out to data stream, wherein, when actual treatment mode is quantum cryptography mode, quantum is carried out to data stream and added Close processing, the data flow after processing is sent to recipient.The Control granularity to data flow identification has been refined, has ensured quantum secure Communicate as specific data stream service, on the premise of meeting user to the sub- encryption requirements of data traffic, it is effective to improve quantum key Utilization rate, quantum secret communication network resource is saved, reduces network cost.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of quantum secure based on mark identification Communicator, applied to the quantum application gateway for being deployed in network exit, a kind of amount based on mark identification described below Sub- secure communication device can be mutually to should refer to a kind of above-described quantum secret communication method based on mark identification.
Shown in Figure 5, the device is included with lower unit:
Data flow obtaining unit 210, for obtaining data flow waiting for transmission;
Actual treatment mode determining unit 220, the encryption mark for being carried to data flow are identified, it is determined that pair The actual treatment mode that data flow uses;
Processing unit 230, for carrying out respective handling to data stream using actual treatment mode, wherein, in actual treatment When mode is quantum cryptography mode, quantum cryptography processing is carried out to data stream;
Data flow transmitting element 240, for the data flow after processing to be sent into recipient.
The device provided using the embodiment of the present invention, the quantum application gateway acquisition for being deployed in network exit are to be transmitted Data flow after, to data flow carry encryption mark be identified, it is determined that to data flow use actual treatment mode, And respective handling is carried out to data stream, wherein, when actual treatment mode is quantum cryptography mode, quantum is carried out to data stream and added Close processing, the data flow after processing is sent to recipient.The Control granularity to data flow identification has been refined, has ensured quantum secure Communicate as specific data stream service, on the premise of meeting user to the sub- encryption requirements of data traffic, it is effective to improve quantum key Utilization rate, quantum secret communication network resource is saved, reduces network cost.
In a kind of embodiment of the present invention, encryption is identified as:It is deployed in the mark component base of sender Mark in a stream is added in the first processing mode of user's selection;
Actual treatment mode determining unit 220, is specifically used for:
The encryption mark carried to data flow is identified, and determines the first processing mode that user specifies;
If the first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to data flow is quantum Cipher mode;
If the first processing mode non-quantum cipher mode, the first encryption policy storehouse being obtained ahead of time is transferred, according to the The encryption policy recorded in one encryption policy storehouse and the first processing mode, it is determined that the actual treatment mode used to data flow.
In a kind of embodiment of the present invention, actual treatment mode determining unit 220, it is specifically used for:
According to the attribute of data flow, encryption policy corresponding with attribute is searched in the first encryption policy storehouse;
If find, it is determined that second processing mode corresponding to the encryption policy found;
According to the safe class of the first processing mode and the safe class of second processing mode, it is determined that data flow is used Actual treatment mode.
In a kind of embodiment of the present invention, actual treatment mode determining unit 220, it is specifically used for:
If the safe class of the first processing mode is greater than or equal to the safe class of second processing mode, at first Reason mode is defined as the actual treatment mode used to data flow;
If the safe class of the first processing mode is less than the safe class of second processing mode, by second processing mode It is defined as the actual treatment mode used to data flow.
In a kind of embodiment of the present invention, actual treatment mode determining unit 220, it is additionally operable to:
It is directly that the first processing mode is true when not finding encryption policy corresponding with attribute in the first encryption policy storehouse It is set to the actual treatment mode used to data flow.
In a kind of embodiment of the present invention, in addition to encryption policy updating block, it is used for:
Obtain user encryption behavioral data;
According to user encryption behavioral data, the encryption policy recorded in the first encryption policy storehouse is updated.
In a kind of embodiment of the present invention, encryption is identified as:It is deployed in the mark component knot of sender Encryption policy in the first processing mode for sharing family selection and the second encryption policy storehouse for being obtained ahead of time, it is determined that to data flow The mark of the actual treatment mode of use.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment For putting, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part Explanation.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty Technical staff can realize described function using distinct methods to each specific application, but this realization should not Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
Specific case used herein is set forth to the principle and embodiment of the present invention, and above example is said It is bright to be only intended to help and understand technical scheme and its core concept.It should be pointed out that for the common of the art For technical staff, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these Improve and modification is also fallen into the protection domain of the claims in the present invention.

Claims (10)

  1. A kind of 1. quantum secret communication method based on mark identification, it is characterised in that applied to being deployed in network exit Quantum application gateway, including:
    Obtain data flow waiting for transmission;
    The encryption mark carried to the data flow is identified, it is determined that the actual treatment side used to the data flow Formula;
    Respective handling is carried out to the data flow using the actual treatment mode, wherein, it is amount in the actual treatment mode During sub- cipher mode, quantum cryptography processing is carried out to the data flow;
    The data flow after processing is sent to recipient.
  2. 2. according to the method for claim 1, it is characterised in that the encryption is identified as:It is deployed in the mark of sender Know part and the mark in the data flow is added based on the first processing mode that user selects;
    The encryption mark carried to the data flow is identified, it is determined that the actual treatment used to the data flow Mode, including:
    The encryption mark carried to the data flow is identified, and determines the first processing side that the user specifies Formula;
    If first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to the data flow for Quantum cryptography mode;
    If the first processing mode non-quantum cipher mode, the first encryption policy storehouse being obtained ahead of time is transferred, according to institute The encryption policy recorded in the first encryption policy storehouse and first processing mode are stated, it is determined that the reality used to the data flow Processing mode.
  3. 3. according to the method for claim 2, it is characterised in that described to add according to what is recorded in the first encryption policy storehouse Close tactful and described first processing mode, it is determined that the actual treatment mode used to the data flow, including:
    According to the attribute of the data flow, encryption policy corresponding with the attribute is searched in the first encryption policy storehouse;
    If find, it is determined that second processing mode corresponding to the encryption policy found;
    According to the safe class of first processing mode and the safe class of the second processing mode, it is determined that to the data Flow the actual treatment mode used.
  4. 4. according to the method for claim 3, it is characterised in that the safe class according to first processing mode and The safe class of the second processing mode, it is determined that the actual treatment mode used to the data flow, including:
    If the safe class of first processing mode is greater than or equal to the safe class of the second processing mode, by institute State the actual treatment mode that the first processing mode is defined as using the data flow;
    If the safe class of first processing mode is less than the safe class of the second processing mode, by described second Processing mode is defined as the actual treatment mode used to the data flow.
  5. 5. according to the method for claim 3, it is characterised in that do not found in the first encryption policy storehouse with it is described Corresponding to attribute during encryption policy, in addition to:
    First processing mode is directly defined as to the actual treatment mode used to the data flow.
  6. 6. according to the method described in any one of claim 2 to 5, it is characterised in that also include:
    Obtain user encryption behavioral data;
    According to the user encryption behavioral data, the encryption policy recorded in the first encryption policy storehouse is updated.
  7. 7. according to the method for claim 1, it is characterised in that the encryption is identified as:It is deployed in the mark of sender Know the encryption policy in part combination user the first processing mode selected and the second encryption policy storehouse being obtained ahead of time, it is determined that The mark of the actual treatment mode used to the data flow.
  8. 8. a kind of quantum secret communication device based on mark identification, it is characterised in that applied to being deployed in network exit Quantum application gateway, including:
    Data flow obtaining unit, for obtaining data flow waiting for transmission;
    Actual treatment mode determining unit, the encryption mark for being carried to the data flow is identified, it is determined that to institute State the actual treatment mode of data flow use;
    Processing unit, for carrying out respective handling to the data flow using the actual treatment mode, wherein, in the reality When processing mode is quantum cryptography mode, quantum cryptography processing is carried out to the data flow;
    Data flow transmitting element, for the data flow after processing to be sent into recipient.
  9. 9. device according to claim 8, it is characterised in that the encryption is identified as:It is deployed in the mark of sender Know part and the mark in the data flow is added based on the first processing mode that user selects;
    The actual treatment mode determining unit, is specifically used for:
    The encryption mark carried to the data flow is identified, and determines the first processing side that the user specifies Formula;
    If first processing mode is quantum cryptography mode, it is determined that the actual treatment mode used to the data flow for Quantum cryptography mode;
    If the first processing mode non-quantum cipher mode, the first encryption policy storehouse being obtained ahead of time is transferred, according to institute The encryption policy recorded in the first encryption policy storehouse and first processing mode are stated, it is determined that the reality used to the data flow Processing mode.
  10. 10. device according to claim 8, it is characterised in that the encryption is identified as:It is deployed in the mark of sender Know the encryption policy in part combination user the first processing mode selected and the second encryption policy storehouse being obtained ahead of time, it is determined that The mark of the actual treatment mode used to the data flow.
CN201710910878.2A 2017-09-29 2017-09-29 Quantum secret communication method and device based on identification recognition Active CN107659400B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710910878.2A CN107659400B (en) 2017-09-29 2017-09-29 Quantum secret communication method and device based on identification recognition

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710910878.2A CN107659400B (en) 2017-09-29 2017-09-29 Quantum secret communication method and device based on identification recognition

Publications (2)

Publication Number Publication Date
CN107659400A true CN107659400A (en) 2018-02-02
CN107659400B CN107659400B (en) 2020-08-28

Family

ID=61117356

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710910878.2A Active CN107659400B (en) 2017-09-29 2017-09-29 Quantum secret communication method and device based on identification recognition

Country Status (1)

Country Link
CN (1) CN107659400B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683665A (en) * 2018-05-15 2018-10-19 国家电网公司 Data ciphering method, system in fiber optic communication and data transmitting equipment
CN108696353A (en) * 2018-05-30 2018-10-23 厦门科华恒盛股份有限公司 A kind of distribution method of quantum key and system, service station
CN109951381A (en) * 2019-04-24 2019-06-28 长春大学 A kind of mail security transmission method based on the public cloud service platform of quantum key
CN112491537A (en) * 2020-11-10 2021-03-12 国网天津市电力公司 Electric energy metering system safety protection method based on quantum secret communication technology

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590868B2 (en) * 2005-02-09 2009-09-15 Hewlett-Packard Development Company, L.P. Method and apparatus for managing encrypted data on a computer readable medium
CN103617401A (en) * 2013-11-25 2014-03-05 北京深思数盾科技有限公司 Method and device for protecting data files
CN103840936A (en) * 2014-02-28 2014-06-04 山东量子科学技术研究院有限公司 Reliable encryption transmission system and method of quantum cryptography network
CN103916239A (en) * 2014-04-09 2014-07-09 长春大学 Quantum secret communication gateway system for financial security network
CN105376051A (en) * 2014-08-29 2016-03-02 宇龙计算机通信科技(深圳)有限公司 Encryption method and apparatus, and terminal
CN105960811A (en) * 2014-01-29 2016-09-21 三星电子株式会社 User terminal device and secured communication method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7590868B2 (en) * 2005-02-09 2009-09-15 Hewlett-Packard Development Company, L.P. Method and apparatus for managing encrypted data on a computer readable medium
CN103617401A (en) * 2013-11-25 2014-03-05 北京深思数盾科技有限公司 Method and device for protecting data files
CN105960811A (en) * 2014-01-29 2016-09-21 三星电子株式会社 User terminal device and secured communication method thereof
CN103840936A (en) * 2014-02-28 2014-06-04 山东量子科学技术研究院有限公司 Reliable encryption transmission system and method of quantum cryptography network
CN103916239A (en) * 2014-04-09 2014-07-09 长春大学 Quantum secret communication gateway system for financial security network
CN105376051A (en) * 2014-08-29 2016-03-02 宇龙计算机通信科技(深圳)有限公司 Encryption method and apparatus, and terminal

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683665A (en) * 2018-05-15 2018-10-19 国家电网公司 Data ciphering method, system in fiber optic communication and data transmitting equipment
CN108696353A (en) * 2018-05-30 2018-10-23 厦门科华恒盛股份有限公司 A kind of distribution method of quantum key and system, service station
CN109951381A (en) * 2019-04-24 2019-06-28 长春大学 A kind of mail security transmission method based on the public cloud service platform of quantum key
CN112491537A (en) * 2020-11-10 2021-03-12 国网天津市电力公司 Electric energy metering system safety protection method based on quantum secret communication technology

Also Published As

Publication number Publication date
CN107659400B (en) 2020-08-28

Similar Documents

Publication Publication Date Title
CN104486307B (en) A kind of fraction key management method based on homomorphic cryptography
CN110661620B (en) Shared key negotiation method based on virtual quantum link
CN104283853B (en) A kind of method, terminal device and network equipment for improving Information Security
CN110311883A (en) Identity management method, equipment, communication network and storage medium
CN107659400A (en) A kind of quantum secret communication method and device based on mark identification
CN106209739A (en) Cloud storage method and system
US20200027081A1 (en) Token management for enhanced omni-channel payments experience and analytics
CN102195957A (en) Resource sharing method, device and system
CN108259413B (en) Method for obtaining certificate and authenticating and network equipment
CN108521393A (en) Data interactive method, device, system, computer equipment and storage medium
CN107078898A (en) A kind of method that the private interconnection of safety is set up on multi-path network
CN106100834B (en) A kind of generation and update method in algorithm secret key library
CN107483192A (en) A kind of data transmission method and device based on quantum communication
US20220353248A1 (en) Identifying and Securing Unencrypted Data in a Production Environment
CN109617875A (en) A kind of the secure accessing platform and its implementation of terminal communication network
CN103973698B (en) User access right revoking method in cloud storage environment
CN104125230A (en) Short message authentication service system and authentication method
CN108990062A (en) Intelligent and safe Wi-Fi management method and system
CN108400862A (en) A kind of intelligent power trusted end-user data fusion encryption method
CN107426223A (en) Cloud file encryption and decryption method, encryption and decryption device and processing system
CN110198320A (en) A kind of ciphered information transmission method
CN108809631B (en) Quantum key service management system and method
CN107493287A (en) Industry control network data security system
CN114024767B (en) Method for constructing password definition network security system, system architecture and data forwarding method
CN109905408A (en) Network safety protection method, system, readable storage medium storing program for executing and terminal device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 361000 Ma Long Road 457, Torch Garden, Xiamen Torch High-tech Zone, Fujian Province

Applicant after: Kehua Hengsheng Co., Ltd.

Applicant after: Kehua Technology Co., Ltd., Zhangzhou

Address before: 361000 torch garden, torch high tech Zone, Xiamen, Fujian 457

Applicant before: Xiamen Kehua Hengsheng Co., Ltd.

Applicant before: Kehua Technology Co., Ltd., Zhangzhou

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 361000 Ma Long Road 457, Torch Garden, Xiamen Torch High-tech Zone, Fujian Province

Patentee after: Kehua Data Co.,Ltd.

Patentee after: ZHANGZHOU KEHUA TECHNOLOGY LIMITED BY SHARE Ltd.

Address before: 361000 Ma Long Road 457, Torch Garden, Xiamen Torch High-tech Zone, Fujian Province

Patentee before: XIAMEN KEHUAHENGSHENG LIMITED BY SHARE Ltd.

Patentee before: ZHANGZHOU KEHUA TECHNOLOGY LIMITED BY SHARE Ltd.

CP01 Change in the name or title of a patent holder