CN107959569B

CN107959569B - Key supplementing method, key supplementing device and key supplementing system based on symmetric key pool

Info

Publication number: CN107959569B
Application number: CN201711204731.8A
Authority: CN
Inventors: 富尧; 钟一民
Original assignee: Zhejiang Shenzhou Liangzi Network Science & Technology Co ltd
Current assignee: Zhejiang Shenzhou Liangzi Network Science & Technology Co ltd
Priority date: 2017-11-27
Filing date: 2017-11-27
Publication date: 2020-11-17
Anticipated expiration: 2037-11-27
Also published as: CN107959569A

Abstract

The invention discloses a key supplementing method, a key supplementing device and a key supplementing system based on a symmetric key pool, wherein when an active supplementing party is implemented, messages transmitted and received between the active supplementing party and a passive supplementing party are all in a ciphertext mode, and the messages are provided with authentication information for an opposite party to authenticate. The key supplementing method specifically comprises the following steps: sending a supplement request to a passive supplement party; and receiving a supplement response returned by the passive supplement party after the passive supplement party processes the supplement request, performing supplement judgment, sending supplement feedback to the passive supplement party according to a judgment result, and performing corresponding supplement on the passive supplement party. When the symmetric key pool is supplemented and transmitted, a message authentication mechanism is added to the supplementary information of the key, the supplementary information of the key is encrypted into a ciphertext, the user equipment does not need to be taken to a key source side and directly accessed for supplementing the symmetric key pool, the method is very convenient for a user, and the risk that the system safety is influenced by the untrusted user equipment is reduced for the key source side.

Description

Key supplementing method, key supplementing device and key supplementing system based on symmetric key pool

Technical Field

The invention relates to the technical field of secure communication, in particular to a key supplementing method and a key supplementing system based on a symmetric key pool, namely a mechanism for supplementing keys to the symmetric key pool by two communication parties at the same time.

Background

Due to the development of quantum computers, classical asymmetric cryptographic algorithms are no longer secure, and symmetric key algorithms will make the best way no matter in the authentication or encryption and decryption fields. If a small number of symmetric keys are pre-distributed, the security of the system is greatly reduced after multiple rounds of use. The approach of symmetric key pools will be an important or even mainstream solution to secure keys. The symmetric key pool maintains a large number of pre-assigned keys for both parties.

As a scheme of security upgrade, all or part of the content in the symmetric key pool can be stored in an encrypted manner, and the encrypted key can be stored in a security isolation device hosted by the symmetric key pool. When the key operation is subsequently performed on the symmetric key pool, the symmetric key pool needs to be decrypted by the security isolation device and then used.

For the symmetric key pool, see the invention patent document with the disclosure number CN106452740A entitled "a quantum communication service station, a quantum key management device, a key configuration network and a method", a quantum communication service station and a quantum key management device are disclosed, which share the same quantum true random number key data block between them, and the data block pair can be understood as a pair of symmetric key pools and is used for encrypted communication of quantum true random number keys by users of both sides. When the secret key is supplemented, a user needs to take the quantum secret key management device to the quantum communication service station, and then the quantum true random number generator in the quantum communication service station supplements the secret key for the quantum communication service station and the quantum secret key management device respectively.

The symmetric key pool has the operations of distribution, synchronization, supplement, monitoring, key fetching and the like. Distribution refers to the formation and filling of a pool of symmetric keys; the synchronization refers to selecting a section of key from the symmetric key pool for identity authentication, message authentication or becoming a session key for the service layer to use; the supplementation means that the two parties delete the data of the used key area at the same time and fill a new key, if the key pool is in supplementation, other operations cannot be carried out, and the operations can be carried out only after the supplementation is finished; the monitoring means records various service conditions of the current key pool, such as residual key amount, state machine switching, workload, alarm information and the like; and taking the key, namely taking the key out of the synchronized key pool for service layer use, wherein if the key pool is in synchronization, the key cannot be taken, and the key can be taken only after the synchronization is finished.

The problems existing in the prior art are as follows:

1. the supplement of the symmetric key pool requires the user equipment to be taken to the key source side and directly accessed, which is very inconvenient for the user and also risks the system security being affected by the untrusted user equipment for the key source side.

2. The supplement of the symmetric key pool does not reliably verify the key supplement condition of the other side, and the number and the value of the keys supplemented by the two sides of the symmetric key pool cannot be ensured to be consistent.

Disclosure of Invention

The invention provides a key supplementing method, which can improve the current key pool supplementing mechanism, greatly improve the safety and further improve the exception handling capacity and convenience.

A key supplementing method based on symmetric key pool is implemented on an active supplementing party, messages transmitted and received between the active supplementing party and a passive supplementing party are all in a ciphertext mode, and the messages contain authentication information for an opposite party to authenticate.

The key supplementing method specifically comprises the following steps:

sending a supplement request to a passive supplement party;

and receiving a supplement response returned by the passive supplement party after the passive supplement party processes the supplement request, performing supplement judgment, sending supplement feedback to the passive supplement party according to a judgment result, and performing corresponding supplement on the passive supplement party.

Correspondingly, the invention also provides a key supplementing device based on the symmetric key pool as an active supplementing party, which comprises a processor and a memory, wherein the memory is used for storing the following instructions and is loaded and executed by the processor:

sending a supplement request to a passive supplement party;

receiving a supplement response returned by the passive supplement party after the passive supplement party processes the supplement request, performing supplement judgment, sending supplement feedback to the passive supplement party according to a judgment result, and performing corresponding supplement on the passive supplement party;

the messages transmitted and received between the active supplementing party and the passive supplementing party are all in a ciphertext mode, and the messages are provided with authentication information for the other party to authenticate.

A key supplementing method based on symmetric key pool is implemented on a passive supplementing party, messages transmitted and received between the passive supplementing party and an active supplementing party are all in a ciphertext mode, and the messages contain authentication information for an opposite party to authenticate.

The key supplementing method specifically comprises the following steps:

receiving a supplement request from an active supplement party, judging whether to supplement the active supplement party in advance, and sending a supplement response to the active supplement party according to a judgment result, wherein the supplement response is used for the active supplement party to carry out supplement judgment;

and receiving the supplement feedback returned by the active supplement party according to the supplement judgment, and supplementing correspondingly at the own party.

Correspondingly, the invention also provides a key supplementing device based on a symmetric key pool as a passive supplementing party, which comprises a processor and a memory, wherein the memory is used for storing the following instructions and is loaded and executed by the processor:

receiving supplement feedback returned by the active supplement party according to the supplement judgment and corresponding supplement at the own party;

the messages transmitted and received between the passive supplementing party and the active supplementing party are all in a ciphertext mode, and the messages are provided with authentication information for the other party to authenticate.

A key supplementing method based on symmetric key pool is implemented between two supplementing parties with symmetric key pool, both of them use cipher text mode when sending message each other, and the message has authentication information for the other party to authenticate.

The key supplementing method specifically comprises the following steps:

the active supplementing party sends a supplementing request to the passive supplementing party;

the passive replenisher judges whether to supplement or not after receiving the supplement request, and sends corresponding supplement response to the active replenisher according to the judgment result;

the active supplementing party receives the supplementing response, carries out supplementing judgment, sends supplementing feedback to the passive supplementing party according to the judgment result and supplements correspondingly at the own party;

the passive replenisher receives the replenishment feedback and replenishes accordingly at the own party.

Correspondingly, the invention also provides a key supplementing system, which comprises the key supplementing device based on the symmetric key pool as an active supplementing party and the key supplementing device based on the symmetric key pool as a passive supplementing party.

In the invention, the key supplement between the two supplementing parties, namely the active supplementing party and the passive supplementing party, does not need the access and control of a third party, and other members of the network are not influenced even if abnormal conditions occur.

The messages sent by the two complementing parties, such as the complementing request, the complementing response and the complementing feedback, are all in a ciphertext mode, and can be correspondingly encrypted and decrypted because the two complementing parties have a symmetric key pool, and not only are the messages sent by the two complementing parties all adopt an authentication mechanism, namely, the messages are authenticated by using authentication information carried in the messages, but also the message authentication algorithm itself can adopt the prior art, such as a hash algorithm with a key, for example, a MAC algorithm (e.g., HMAC algorithm) in classical cryptography. The message authentication algorithm can identify tampering and disguising, confirm the integrity of the message and realize identity authentication of the sender.

The key requirements of the application layer may be requests from the active replenisher itself or from other devices.

The active supplementing party firstly judges the rationality of the key supplementing requirement, if any one of the following conditions is met, the key supplementing requirement is judged to be unreasonable, and the supplementing request is not sent any more:

(a) the supplementary area is overlapped with the effective area of the key storage;

(b) the supplementary area is smaller than the set value;

(c) the supplemental area is too large to exceed the size of the key supplemental cache.

The active supplement party can also set other judgment conditions and a threshold value of the supplement area size according to needs. The key storage effective area is the area for storing the effective key, and the supplementary area should be other areas of the key pool, and is also limited by the size of the key supplementary cache.

The supplementary request comprises an identity identifier, key supplementary information and a message authentication code, wherein the key supplementary information and the message authentication code are in a ciphertext form;

the key supplement information includes a timestamp and a key supplement requirement, and the key supplement requirement includes a key supplement position and a key length of a key to be supplemented.

The identity mark is used for identifying and positioning a corresponding key pool by the other party, and the message authentication code is the authentication information used for authenticating the other party.

The supplementary request comprises an identity, the passive supplementary party firstly verifies the identity in the supplementary request after receiving the supplementary request, if not, the data packet of the supplementary request is discarded, and if the data packet is legal, the data packet is positioned to a key pool corresponding to the identity.

Because the supplement request is initiated by the active supplement party, the identity is the identity of the active supplement party, and the passive supplement party can find the key pool corresponding to the active supplement party according to the identity.

And conversely, in subsequent communication, the active supplementing party can find the key pool corresponding to the passive supplementing party according to the identity of the passive supplementing party carried in the message.

Because a symmetric key pool is configured between the passive supplementing party and the active supplementing party, the passive supplementing party can locally extract a corresponding key to decrypt and authenticate the supplementing request, if the authentication fails, a failed supplementing response is sent to the active supplementing party, and if the authentication succeeds, whether the supplementing request is pre-supplemented is judged.

The passive replenisher judges whether the passive replenisher judges the reasonability of the key replenishing requirement, if any one of the following conditions is met, the key replenishing requirement is judged to be unreasonable, and a failed replenishing response is sent to the active replenisher:

(b) the supplementary area is smaller than the set value;

And if the rationality judgment of the key supplement requirement is passed, the passive supplement party performs the key pre-supplement.

The active and passive supplementing parties need to judge the reasonability of the key supplementing requirement, and the sizes of the key storage effective area and the key supplementing cache related to the judgment refer to the relevant parameters of the own party.

The passive supplementing party is configured with a key source, and the pre-supplementation comprises a true random number key which is applied for the key source by the passive supplementing party and has the required length and is stored in a cache of the passive supplementing party.

The key source is generally a device that can generate quantum random numbers, and is preferably configured in the form of independent hardware on the passive complement side to improve security.

After the pre-supplementation is finished, the passive supplementing party assembles a successful supplementing response and sends the successful supplementing response to the active supplementing party, wherein the successful supplementing response comprises an identity, key supplementing information and a message authentication code, and the key supplementing information and the message authentication code are in a ciphertext form;

the key supplement information includes a timestamp and a key supplement requirement, and the key supplement requirement includes a key position and a key length of a key to be supplemented.

Preferably, the passive supplementing party further calculates a hash value of the true random number key, and correspondingly, the key supplementing information further includes the hash value.

And the hash value and the successful supplement response are sent to the active supplement party for comparison and verification at the active supplement party later so as to ensure the security of true random number key transmission.

And after the pre-supplementation is finished, the passive supplementing party also sends the true random number key applied to the active supplementing party in a ciphertext mode.

Aiming at the true random number key, the encryption mode is one-time pad encryption or a general symmetric encryption algorithm.

Preferably, the one-time pad encryption uses a key of an invalid area in a key pool.

Preferably, the common symmetric encryption algorithm uses keys of valid regions in a key pool.

And the active supplementing party decrypts and authenticates after receiving the supplementing response, and sends failed supplementing feedback to the passive supplementing party if the authentication fails.

If the authentication is successful, the supplementary response is further analyzed, and as the supplementary response may be a failed supplementary response or a successful supplementary response, the type of the supplementary response can be known through the identification of the feature code or the format after the analysis.

If the supplementary response is a failed supplementary response, the active supplementary party reports the supplementary failure of the application layer, and the process is finished.

If the key supplement is successful, the active replenisher judges the reasonability of the key supplement requirement, and if the judgment fails, failed supplement feedback is sent to the passive replenisher; and if the judgment is successful, writing the hash value into the designated cache region.

The active supplementing party receives the true random number key from the passive supplementing party, then correspondingly decrypts the true random number key and stores the true random number key in a cache;

verifying the decrypted true random number key by using the hash value, and sending failed supplementary feedback or successful supplementary feedback to a passive supplementary party according to whether the verification is successful or not;

if the verification is successful, copying the decrypted true random number key into a key pool to complete key supplement;

and if the verification fails, correspondingly reporting to the application layer.

After receiving the supplementary feedback, the passive supplementary party decrypts and analyzes the supplementary feedback, if the supplementary feedback is failed, the passive supplementary party gives up executing supplementary operation and reports the supplementary failure of the application layer;

and if the feedback is successful supplement, copying the true random number key in the cache into the key pool, namely completing the key supplement.

The invention has the beneficial effects that:

1. when the symmetric key pool is supplemented and transmitted, a message authentication mechanism is added to the supplementary information of the key, meanwhile, the supplementary information of the key is encrypted into a ciphertext, the encryption mode can be one-time pad encryption with extremely high security, and the security of the system is greatly improved. Advantageously, the symmetric key pool is supplemented without the need to bring the ue to the key source and access it directly, which is very convenient for the user and reduces the risk of the key source of being compromised by untrusted ues.

2. The method for supplementing the symmetric key pool reliably verifies the key supplementation condition of the other side, and ensures that the number of keys and key values supplemented by both sides of the symmetric key pool are consistent, namely, the stability and reliability of supplementation are improved.

Drawings

FIG. 1 is a schematic diagram of a symmetric key pool complementary structure;

FIG. 2 is a diagram illustrating a symmetric key pool structure;

fig. 3 is a schematic diagram of a normal flow of key supplement.

Detailed Description

1. Distribution of symmetric key pools

The USERs USER1 and USER2 form a pair of symmetric key pools by using copy distribution of true random numbers, and name identifiers are respectively PN-U1 and PN-U2, and the size PS-PS 1-PS 2. The IDs of USER1 and USER2 are ID1 and ID2, respectively, and the IDs of the two parties are recorded in U1 and U2, that is: PID (identity) 2 in U1; in U2, PID is ID 1. As keys are used, the amount of keys RPS in the key pool decreases gradually. PN, PS, PID, RPS, etc., all belong to the key pool basic information.

The key storage module is divided into an invalid area and an effective area; the invalid area refers to a key area that has been used; the valid area refers to a key area that has not been used. As the keys are used, the invalid area is gradually enlarged and the valid area is gradually reduced. When the key amount of the effective area is insufficient, the keys in the symmetric key pool can be supplemented by the method of the invention.

2. Complementary principle of symmetric key pool

Referring to fig. 1, when performing key complementation, the symmetric key pool is divided into an active replenisher key pool and a passive replenisher key pool, and the passive replenisher key pool has a key source to provide keys for the passive replenisher key pool. The key source is a true random number key source, such as a true random number generator. The key pool of the active supplementing party and the key pool of the passive supplementing party are both provided with a key supplementing module and a key storage module. The pool of active replenisher keys and the pool of passive replenisher keys communicate over a network connection. The passive replenisher key pool and the key source are communicated through a secure connection; preferably, the key pool of the passive supplementing party is a key storage device in the host board card, the key source is a quantum true random number generator in the same host board card, and the host board card is a hardware isolation device for the host and is difficult to obtain internal information by a malicious program on the host, so that the connection between the key pool of the passive supplementing party and the key source can be regarded as safe connection, and the key can be directly transmitted.

The symmetric key pool is controlled by a key supplement module to supplement keys. Preferably, the key supplement module is located in a hardware isolation device, so that the security in the key supplement process can be ensured.

The key supplement module comprises key supplement control information and a key supplement algorithm module.

Because the implementation process depends on the hardware and the software, in the invention, for example, the key supplement module and the key supplement algorithm module can be understood as hardware chips, board cards and the like which are arranged independently or integrally when relating to the description of the hardware structure, and can be understood as software modules, address information and the like and correspond to corresponding functions and processing flows when relating to the description of the method flow.

The key supplement control information C includes a key supplement demand cache CD and a key supplement cache CC.

When the symmetric key pool is in the replenishment process, C has a value; when the symmetric key pool is in other states such as supplementation not started, supplementation completed, etc., C is empty.

The CD stores key supplement requirements including a cache CP storing key supplement location P and a cache CL storing key supplement length L.

P and L correspond to key storage areas in a segment of the key invalidation area to be used for storing supplemental keys.

The CC is used as a cache in the key supplementing process, and comprises a cache CR for storing a true random number key and a cache CH for storing a hash value of the true random number key, and the cache CR and the cache CH respectively store key data R to be supplemented into a key pool and a hash value H of the R. The key supplement algorithm module comprises a message authentication algorithm and an encryption and decryption algorithm.

The supplement of the symmetric key pool means that both sides delete the data of the key area that has been used and fill in the new key. Specifically, the number and consistency of key supplement are determined through a key supplement message M; the key supplement data is communicated via encrypted communication.

The key supplement message contains a time stamp TS, which is added to prevent replay attacks. And setting the current key position as Pn and the key value as Kn after the two sides of the symmetric key pool are synchronized through the key pool.

Referring to fig. 2, Kn may be logically divided into a message encryption key KE and a message authentication key KA, and the lengths thereof are LE and LA, respectively, and the LE and LA may be fixed values, or the specific length is determined by the requirements of an application layer in actual use. The total length Ln of the section Kn meets the condition that Ln is more than or equal to LE + LA.

In order to prevent the transmitted information from being tampered and ensure the correctness of the identity of the information sender, an authentication code attached to the information is required, and specifically, the authentication code may be generated by a keyed hash algorithm, such as a MAC algorithm (e.g., HMAC algorithm) in classical cryptography, where the key uses KA in Kn. And the KA calculates a message authentication code for the M to form a message authentication code MD. The ensemble of M and MD is called MS. Because the system security is reduced due to the fact that information of the MS is transmitted in a plaintext mode, the MS is symmetrically encrypted to form an encrypted key supplement message ME, the symmetric encryption key is KE in Kn, and the encryption method can be a symmetric encryption algorithm such as AES. After the message transmission and the message authentication of the two parties are successful, the messages are decrypted, the target information of the supplementary key is determined, and then the key supplementary operation is carried out.

3. Complementary flow of symmetric key pool

Let the active and passive replenishers of the key be USER1 and USER2, respectively, and the key pools thereof be U1 and U2, respectively. In this context, each variable of the active replenisher is not superscripted; the passive supplement side is provided with a prime sign.

Both sides have C and C' correspondence. Before supplementation, both C and C' were empty. During replenishment, at least one of C and C' is not empty. Whether U1 is on-going with replenishment can be determined by whether C is empty; whether U2 is in progress of replenishment is determined by whether C' is empty.

With reference to fig. 3, the complementary procedure of the symmetric key pool in the present embodiment includes that U1 sends a request message INVITE (i.e., a complementary request), U2 sends a response message RESP (i.e., a complementary response), and U1 sends an acknowledgement message ACK (i.e., a complementary feedback). U1 supplements the key after sending ACK; u2 supplements the key after receiving the ACK. Its normal procedure, named PC, is as follows:

(1) u1 sending INVITE

3.1U1 Key supplement requirements. The key supplement requirement of U1 can be denoted as SR ═ P, L, which means that the application layer of U1 needs to supplement a key with a key position of P and a key length of L. P may be empty if the key is supplemented at the beginning of the key storage invalid area.

3.2U1 judges the reasonableness of the key supplement requirement. If the following conditions occur, the key supplement requirement is judged to be unreasonable, and the process is ended: (a) the supplementary area is calculated to be overlapped with the effective area of the key storage; (b) the supplementary area is too small; (c) the supplementary area is too large to exceed the size of the CC area, so that the supplementary process cannot be continuously executed; (d) other requests for replenishment that should be denied based on policy, such as requests from applications that do not have replenishment rights.

If the key supplement requirement is judged to be reasonable, the SR is written into the CD.

3.3 generate a U1 supplemental message.

3.3.1 formation of M: consisting of the time stamps TS, SR at the time.

3.3.2 generating MD: and taking out the KA, and calculating a message authentication code for the M to obtain the MD.

3.3.3 ME Generation: and taking out the KE, and symmetrically encrypting the message after M and MD assembly to generate the ME.

3.4U1 sends ID1 and ME assembled to USER2, INVITE.

(2) U2 sending RESP

3.5USER2 found U2: USER2 resolves ID1 after receiving INVITE^inviteAnd ME^invite. Since ID1 and ME may be modified when they arrive by transmission through the network, ID1 is used^inviteAnd ME^inviteAnd (4) showing. The remaining variables parsed from the INVITE are labeled with "INVITE" hereinafter. If ID1^inviteNot identified by all the key pools of USER2, then description ID1^inviteIt is not a legal ID for USER2, and this exception is denoted EXP 1. At this point, USER2 directly discards the packet and the process ends. Otherwise, USER2 finds PID ═ ID1^inviteLocal key pool U2 to proceed to the next step.

3.6U2 parses the supplemental message.

3.6.1 message decryption: u2 takes KE' and decrypts supplementary message M^invite(containing TS)^invite、SR^invite) And authentication information MD of supplementary message^invite。

3.6.2 message authentication: u2 takes out KA' for M^inviteAnd performing message authentication operation to obtain authentication information MD'. Comparing MD' and MD^inviteAnd if the supplementary operation is not consistent with the message authentication condition, the supplementary operation does not meet the message authentication condition. At this point U2 returns a failed RESP (i.e., a failed supplemental response), entering 3.11. And if the message authentication is successful, the next step is carried out.

The construction mode of the failed RESP is as follows:

(a) generating M': consisting of the timestamp TS' and RESPERR at that time. There are many possibilities for the RESPERR to be a contracted RESP string or identifier that indicates a failure to replenish.

(b) And generating MD': and taking out KA ' and calculating a message authentication code for M ' to obtain MD '.

(c) And generation of ME': and taking out the KE ', and symmetrically encrypting the message after M' and MD 'are spliced to generate ME'.

(d) Assembling ID2 and ME' to complete.

3.6.3 determination of SR^inviteThe rationality of (2). If the following occurs, SR is judged^inviteUnreasonable: (a) the supplementary area is calculated to be overlapped with the effective area of the key storage; (b) the supplementary area is too small; (c) the supplementary region is too large to exceed the size of the CC' region, so that the supplementary process cannot be continuously performed. At this point U2 returns a failed RESP (i.e., a failed supplemental response), entering 3.11. If SR^inviteAnd if reasonable, entering the next step.

3.6.4 the supplemental message is successfully parsed, making SR' SR ═ SR^inviteAnd written in CD'.

3.7U2 Pre-supplementation

U2 applies for a true random number key R 'of length L from the key source and stores it in CR'. And calculating the hash value H 'of the R' and putting the hash value H 'into the CH' for standby.

3.8 generating U2 supplemental message:

3.8.1 generate M': m 'consists of the then time stamps TS', SR 'and H'.

3.8.2 generate MD': and taking out KA ' and calculating a message authentication code for M ' to obtain MD '.

3.8.3 generate ME': and taking out the KE ', and symmetrically encrypting the message after M' and MD 'are spliced to generate ME'.

3.9U2 sends ID2 and ME' assembled to USER1, i.e., replenishes a successful RESP (i.e., a successful replenishment response).

3.10U2 sends the encryption key.

U2 symmetrically encrypts R 'to become RE', and sends to USER 1.

The following two encryption methods are selected:

(a) and (3) one-time pad encryption:

r 'is encrypted with the xor algorithm of one-time pad using the key RF' of the key storage invalid area to be replenished. The RF ' length is consistent with R ' and is a true random number supplemented at the previous time, so that the R ' can be encrypted by an XOR algorithm with one-time pad. The one-time pad is the theoretically highest security level encryption, so the security of the method is very high.

(b) General symmetric encryption algorithm encryption, here exemplified by AES encryption:

r ' is encrypted by the AES algorithm using the next key of KE ' or Kn '.

(3) U1 sends ACK

3.11USER1 found U1: after USER1 receives RESP, it resolves ID2^respAnd ME^resp. Since ID2 and ME' are transmitted through the network and may have been modified when they arrived, ID2 is used^respAnd ME^respAnd (4) showing. The remaining variables resolved from the RESP are used hereinafter "^resp"superscript indicates. If ID2^respNot identified by all key pools of USER1, it is statedID2^respIt is not a legal ID for USER1, and this exception is denoted EXP 2. At this point, USER1 directly discards the packet and the process ends. Otherwise, USER1 finds PID ═ ID2^respLocal key pool U1 to proceed to the next step.

3.12U1 parses the supplemental message.

3.12.1 message decryption: u1 takes KE out and decrypts supplementary message M^respAnd authentication information MD of supplementary message^resp。

3.12.2 message authentication: u1 taking out KA, for M^respAnd performing message authentication operation to obtain authentication information MD 1. Comparison of MD1 and MD^respAnd if the supplementary operation is not consistent with the message authentication condition, the supplementary operation does not meet the message authentication condition. At this point U1 returns a failed ACK (i.e., failed supplemental feedback) and sets C to null, entering 3.15. And if the message authentication is successful, the next step is carried out.

The construction mode of the failed ACK is as follows:

(a) generating M2: consisting of the timestamp TS2 and ACKERR at that time. There are many possibilities for ACKERR to be a agreed-upon ACK string or identifier indicating a failure to replenish.

(b) Generating MD 2: and taking out the KA, and calculating a message authentication code for the M2 to obtain the MD 2.

(c) Generating ME 2: and taking out the KE, and symmetrically encrypting the message assembled by the M2 and the MD2 to generate ME 2.

(d) And assembling the ID1 and the ME2 to complete the method.

3.12.3 resolution of M^resp. If from M^respIn-process parsing out TS^respAnd the error code RESPERR is supplement failure, the U1 sets the C to be null, the supplement failure of the application layer is reported, and the process is ended.

Else from M^respIn-process parsing out TS^resp、SR^respAnd H^resp。

3.12.4 determination of SR^respThe rationality of (2). If SR ≠ SR^respIf it is SR^respIt is not reasonable. At this point U1 returns a failed ACK (i.e., failed supplemental feedback) and sets C to null, entering 3.15. If SR^respAnd if reasonable, entering the next step.

3.12.5 successfully parsing the supplemental message will be H^respThe CH is written.

3.13U1 receives an encryption key (pre-supplementation).

And setting a time interval T, and if the encryption key is not completely received in the T after the RESP is received, judging that the U1 fails to receive the encryption key, namely, the pre-supplement fails.

The RE' is transmitted through the network and may be modified when it arrives, and is therefore denoted as RE.

U1 symmetrically decrypts RE into R, which is then stored in CR.

The decryption method is selected from the following two methods:

(a) and (3) decryption of the one-time pad:

RE is encrypted with the xor of one-time pad using the key RF of the key storage invalid area to be replenished. Since RF and RF' are true random number key pairs that were previously supplemented, their values are identical, so one-time pad xor decryption of RE can be performed to obtain R.

(b) Decryption with a general symmetric encryption algorithm, here exemplified by AES decryption:

the RE is decrypted by the AES algorithm using the next key of KE or Kn.

And after the U1 stores R in the CR, calculating a hash value H of the R, comparing the hash value H with the hash value in the CH, and if the hash values are different, judging that the R is inconsistent with the R', namely that the pre-supplement fails. If the two are the same, the judgment result shows that R is consistent with R', namely the pre-supplement is successful. The key supplement condition of the opposite side is reliably verified in a way of comparing the hash values, and the number of keys and key values supplemented by the two sides of the symmetric key pool are ensured to be consistent, namely, the stability and reliability of supplement are improved.

3.14U1 sending ACK (i.e., supplemental feedback)

U1 executes the steps similar to 3.3 according to the result of the success or failure of the previous step of pre-supplement, and adds the ACK result in M to generate MEACK, wherein MEACK is the encrypted key supplement ACK message. The ACK result may be ACKOK or ACKERR; ACKOK is an agreed ACK string or identifier indicating successful replenishment; there are many possibilities for ACKERR to be a agreed-upon ACK string or identifier indicating a failure to replenish. The ID1 and the MEACK are assembled and sent to U2, namely ACK.

If the pre-replenish is successful, a replenish operation is performed in U1, i.e., R is copied to the area where the RF is located and C is set to null. Reporting the success of the supplement of the application layer.

If the pre-replenish fails, the replenish operation is abandoned in U1 and C is set to null. Reporting the supplement failure of the application layer.

3.15U2 receives ACK

3.15.1 found U2: similarly 3.6, USER2 resolves ID1 upon receipt of the ACK^ackAnd MEACK^ack. Since ID1 and MEACK are transmitted through the network and may be modified when they arrive, ID1 is used^ackAnd MEACK^ackAnd (4) showing. If ID1^ackNot identified by all the key pools of USER2, then description ID1^ackIt is not a legal ID for USER2, and this exception is denoted EXP 3. At this point, USER2 directly discards the packet and the process ends. Otherwise, USER2 finds PID ═ ID1^ackLocal key pool U2 to proceed to the next step.

3.15.2U2 decrypts and analyzes the ACK by using the information of Kn'. According to the expectation of U2, ACKOK or ACKERR should be resolved and the message is verified. If the processing result of the ACK does not meet the expectation of the U2, the ACK is confirmed to fail, the U2 reports the supplement failure of the application layer, and the process is ended. Otherwise, the ACK supplement is confirmed to be successful or failed.

If ACKOK indicates that the U1 is successfully supplemented, the U2 performs the supplement operation, i.e., copying R ' to the area where RF ' is located, and setting C ' to null. Reporting the success of the supplement of the application layer.

If ACKERR, indicating that U1 failed to replenish, U2 abandons the replenishment operation and sets C' to null. Reporting the supplement failure of the application layer.

This is the end of the PC.

4. Handling of supplemental exceptions

For the sake of comprehensive consideration, it is assumed below that both U1 and U2 can initiate supplemental requests, i.e., that both U1 and U2 carry a key source.

The messages sent and received between the active and passive replenishers may be replenishment requests, replenishment responses, encryption keys or replenishment feedback, and if slight packet loss occurs between U1 and U2 during replenishment, the success of replenishment is generally not affected due to the retransmission mechanisms of the signaling. For example, U1 may not receive RESP after sending the INVITE, and may resend the INVITE until the maximum number of sending INVITE is reached and the attempt is aborted; the U2, which fails to receive an ACK after transmitting a RESP that was successfully supplemented, retransmits the RESP until the maximum number of transmissions of the RESP is reached and the attempt is aborted. Generally, success is achieved before the maximum number of transmissions is reached.

If a situation of heavy packet loss or even network disconnection between U1 and U2 occurs in the supplement process, a supplement exception is caused, and the situation is called EC.

When U1 and U2 are in EC, key replenishment has been suspended, and at least one of C and C' is not empty; cryptographic applications at the application layer also do not work properly: the party that has not completed the supplementation cannot perform the key fetching operation, and even if the party that has completed the supplementation can fetch the key, the application using the key cannot transmit the authentication or encryption packet to the other party, nor receive any response from the other party. When the EC returns to normal, the key pools of the two parties cannot directly detect the change, but the key supplement is triggered to continue through a request of the application layer again.

For example, U1 is in a supplement state, its application layer needs to fetch the key, and upon checking by U1, it must wait until the supplement is completed before it can be fetched, thus triggering U1 to continue to complete the previous failed key supplement.

For another example, if the U1 is in the supplementation complete state, the application layer thereof needs to fetch the key, and then successfully fetches the key KUA by using the information of C, and then the application layer sends the data of the authenticated or encrypted service to the U2, the application layer of the U2 necessarily needs to fetch the key to the U2 to cope with the key, and if the U2 is in the supplementation state at this time, the U2 is triggered to continue to complete the previous failed key supplementation.

In summary, when U1 and U2 are in EC, the previous failed key supplement can always be continued by being triggered by the application layer: either U1 or U2 is triggered.

The case in EC as the master is named ECA. The case in EC as the passive is named ECB. Various aspects of EC and its specific flow are as follows:

(1) INVITE (supplemental request) loss

It appears that U1 never received RESP. At this time U1 is at ECA; u2 is at replenishment completion. Namely: c is not empty; c' is empty. In EXP1, there is a case where the ID of the INVITE is tampered with, and similarly to this case, the following method can be used to solve.

(1-1) U1 is triggered

When the active replenishing party and the passive replenishing party generate a replenishing exception caused by the loss of the replenishing request, and the active replenishing party is triggered to replenish the next time, the key replenishing control information in the unfinished last replenishing flow is used for regenerating the replenishing request so as to continue the unfinished last replenishing flow.

The flow from 3.3 to the completion of PC execution is called PE.

The specific process is as follows: u1 performs PE.

(1-2) U2 is triggered

When the passive supplement party is triggered to supplement next time (the passive supplement party serving as the supplement exception changes the role to be the active supplement party when the passive supplement party is triggered to supplement next time), the supplement response of the supplement exception from the opposite party can be received, and the opposite party regenerates the supplement request by using the key supplement control information in the incomplete last supplement flow so as to continue the incomplete last supplement flow.

The specific process is as follows: the U2 takes the key supplement requirement to execute the PC, and sends the INVITE; since the U1 resolves the key supplement control information therein and fails to respond successfully with the key supplement control information of the own, U1 sends a failed RESP, puts the ECA and the key supplement request in the RESPERR, informs the other party that the own is in the ECA state of key supplement, and informs the last key supplement request. U1 is triggered to prepare for resolving ECAs. The success of the correspondence of the two pieces of key supplement control information means that the key supplement requirements are equal. Consistent with the normal case, in the case of ECA, the message encryption and message authentication keys used by the failed RESP are also from Kn of U1. Upon receiving the failed RESP of U1, U2 resolves with Kn' that the other party is in ECA, and then the PC of U2 is rolled back, i.e., the key supplement control information of U2 is emptied and the key supplement requirement of U2 is temporarily recorded. U1 executes the PE at this point (U1 initiates the PE flow upon issuing a failed RESP). After the PE flow is normally finished, i.e., the U1 and U2 are successfully supplemented, U2 starts the PC according to the temporarily recorded key supplement requirement.

(2) ACK (supplemental feedback) loss

It appears that U2 never receives an ACK. At this point U1 is at completion of replenishment; u2 is in ECB. Namely: c is empty and the key field pointed by the previous key supplement requirement of U1 has been supplemented with the key from U2; c' is not empty. In EXP3, there is a case where the ID of ACK is falsified, and similarly to this case, the following method can be used to solve this problem.

(2-1) U2 is triggered

And after receiving the supplement response, the opposite side regenerates the supplement request by utilizing the key supplement requirement in the last supplement flow to continue the incomplete last supplement flow.

The specific process is as follows: u2 sends a failed RESP, places the ECB and key supplement requirements in the RESPERR, informs the other party that it is in the ECB state of key supplement, and informs the last key supplement requirement. Consistent with the normal case, in the case of ECB, the encryption and authentication keys used by the failed RESP are also from Kn' of U2. U1 resolves the ECB with Kn, so that U1 executes PE after acquiring and storing the key supplement requirement. It is noted that since the key region indicated by the previous key supplement requirement of U1 has been supplemented with the key from U2, the algorithms of 3.10(a) and 3.13(a) have not been used, and the algorithms of 3.10(b) and 3.13(b) must be used.

(2-2) U1 is triggered

When the active replenishing party is triggered to replenish the next time, the active replenishing party can receive the replenishing response of the replenishing exception from the opposite party, and the active replenishing party regenerates the replenishing request by utilizing the key replenishing requirement in the unfinished last replenishing flow so as to continue the unfinished last replenishing flow.

The specific process is as follows: the U1 takes the key supplement requirement to execute the PC, and sends the INVITE; since the U2 resolves the key supplement control information therein and fails to respond successfully with the key supplement control information of the own, U2 sends a failed RESP, puts the ECB and the key supplement requirement in the RESPERR, informs the opposite party that the own is in the ECB state of key supplement, and informs the last key supplement requirement. Consistent with the normal case, in the case of ECB, the encryption and authentication keys used by the failed RESP are also from Kn' of U2. Upon receiving the failed RESP of U2, U1 resolves that the counterpart is in ECB with Kn, and then the PC of U1 is rolled back, i.e., the key supplement control information of U1 is set to null, and the key supplement requirement of U1 is temporarily recorded. The key supplement requirement of U1 is set to the key supplement requirement of U2, and PE is executed. It is noted that since the key region indicated by the previous key supplement requirement of U1 has been supplemented with the key from U2, the algorithms of 3.10(a) and 3.13(a) have not been used, and the algorithms of 3.10(b) and 3.13(b) must be used. After the PE flow is normally finished, i.e., the U1 and U2 are successfully supplemented, U1 starts the PC according to the temporarily recorded key supplement requirement.

(3) Loss of RESP (supplemental response)

It appears that U1 has not received RESP and U2 has not received ACK. At this time U1 is at ECA; u2 is in ECB. Namely: c is not empty; c' is not empty. In EXP2, there is a case where the ID of the RESP is falsified, and similarly to this case, the following method can be used to solve this problem.

(3-1) U1 is triggered

When the active replenishing party and the passive replenishing party generate a replenishing exception caused by the loss of the replenishing response, and the active replenishing party is triggered to replenish the next time, the key replenishing requirement in the unfinished last replenishing flow is used for regenerating the replenishing request so as to continue the unfinished last replenishing flow.

The specific process is as follows: u1 performs PE.

(3-2) U2 is triggered

And after receiving the supplement response, the opposite side regenerates a supplement request by utilizing the key supplement requirement in the unfinished last supplement flow to continue the unfinished last supplement flow.

The specific process is as follows: u2 sends a failed RESP, places the ECB and key supplement requirements in the RESPERR, informs the other party that it is in the ECB state of key supplement, and informs the last key supplement requirement. Consistent with the normal case, in the case of ECB, the encryption and authentication keys used by the failed RESP are also from Kn' of U2. U1 resolves the other party to be in ECB with Kn, so U1 executes PE.

Symmetric key pool replenishment suffers from the possibility that one or both parties may be unsuccessfully replenished, which may result in the failure of key pairs to continue to match in subsequent uses, which in turn may result in the revocation of the key pool. The invention processes the abnormal condition, can ensure that the symmetric key pool can still be supplemented normally after the abnormal condition occurs, and carries out consistency verification on the supplemented key.

The above disclosure is only an embodiment of the present invention, but the present invention is not limited thereto, and those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. It is to be understood that such changes and modifications are intended to be included within the scope of the appended claims. Furthermore, although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

1. A key supplement method based on a symmetric key pool is implemented on an active supplement party and is characterized in that messages transmitted and received between the active supplement party and a passive supplement party are all in a ciphertext mode, and the messages are provided with authentication information for the other party to authenticate; the key supplementing method specifically comprises the following steps:

sending a supplement request to a passive supplement party, wherein the supplement request comprises an identity identifier, key supplement information and a message authentication code, and the key supplement information and the message authentication code are in a ciphertext form; the key supplement information comprises a timestamp and a key supplement requirement, and the key supplement requirement comprises a key supplement position needing to be supplemented and a key length;

when a supplement request loss exception occurs:

when the active replenishing party is triggered to replenish for the next time, a replenishing request is regenerated by using the key replenishing control information in the unfinished last replenishing flow so as to continue the unfinished last replenishing flow;

when the passive supplementing party is triggered to supplement for the next time, the passive supplementing party is used as a passive supplementing party for supplementing the abnormity, the role of the passive supplementing party is changed into an active supplementing party when the passive supplementing party is triggered to supplement for the next time, a supplementing response of the supplementing abnormity from the opposite party can be received, and the opposite party regenerates a supplementing request by using the key supplementing control information in the incomplete last supplementing flow to continue the incomplete last supplementing flow;

when the supplement feedback loss abnormity occurs:

when the passive supplementing party is triggered to supplement for the next time, sending a supplementing response of supplementing abnormity to the opposite party, and after the opposite party receives the supplementing response, regenerating a supplementing request by using the key supplementing requirement in the last supplementing flow to continue the unfinished last supplementing flow;

when the active supplementing party is triggered to supplement the next time, a supplementing response of supplementing abnormity from the opposite party can be received, and the active supplementing party regenerates a supplementing request by using the key supplementing requirement in the unfinished last supplementing flow so as to continue the unfinished last supplementing flow;

when a loss of supplemental response anomaly occurs:

when the active replenishing party is triggered to replenish for the next time, a replenishing request is regenerated by utilizing the key replenishing requirement in the unfinished last replenishing flow so as to continue the unfinished last replenishing flow;

and when the passive supplementing party is triggered to supplement for the next time, sending a supplementing response of supplementing exception to the opposite party, and after the opposite party receives the supplementing response, regenerating a supplementing request by using the key supplementing requirement in the unfinished last supplementing flow so as to continue the unfinished last supplementing flow.

2. A key supplement method based on a symmetric key pool is implemented on a passive supplement party and is characterized in that messages transmitted and received between the passive supplement party and an active supplement party are all in a ciphertext mode, and the messages are provided with authentication information for the other party to authenticate; the key supplementing method specifically comprises the following steps:

receiving a supplement request from an active supplement party, judging whether the supplement is performed or not, sending a supplement response to the active supplement party according to a judgment result, and sending a successful supplement response to the active supplement party when the key supplement requirement is judged to be reasonable, wherein the successful supplement response comprises an identity, key supplement information and a message authentication code, and the key supplement information and the message authentication code are in a ciphertext form; the key supplement information comprises a timestamp and a key supplement requirement, and the key supplement requirement comprises a key position to be supplemented and a key length; the supplement response is used for the active supplement party to carry out supplement judgment;

when a supplement request loss exception occurs:

when the supplement feedback loss abnormity occurs:

when a loss of supplemental response anomaly occurs:

3. A key supplement method based on a symmetric key pool is implemented between two supplement parties with the symmetric key pool, and is characterized in that the two supplement parties both use a ciphertext mode when sending messages to each other, and the messages have authentication information for the other party to authenticate; the key supplementing method specifically comprises the following steps:

the method comprises the steps that an active supplementing party sends a supplementing request to a passive supplementing party, wherein the supplementing request comprises an identity, key supplementing information and a message authentication code, and the key supplementing information and the message authentication code are in a ciphertext form; the key supplement information comprises a timestamp and a key supplement requirement, and the key supplement requirement comprises a key supplement position needing to be supplemented and a key length;

the passive supplementing party judges whether the supplementation is performed or not after receiving the supplementation request, sends a corresponding supplementation response to the active supplementing party according to the judgment result, and sends a successful supplementation response to the active supplementing party when the requirement of the key supplementation is judged to be reasonable, wherein the successful supplementation response comprises an identity, key supplementation information and a message authentication code, and the key supplementation information and the message authentication code are in a ciphertext form; the key supplement information comprises a timestamp and a key supplement requirement, and the key supplement requirement comprises a key position to be supplemented and a key length;

the passive supplementing party receives the supplementing feedback and supplements correspondingly at the own party;

when a supplement request loss exception occurs:

when the supplement feedback loss abnormity occurs:

when a loss of supplemental response anomaly occurs:

4. The key supplementing method based on the symmetric key pool according to claim 3, wherein the active supplementing party firstly judges the reasonability of the key supplementing requirement, if any one of the following conditions is met, the key supplementing requirement is judged to be unreasonable, and the supplementing request is not sent any more:

(b) the supplementary area is smaller than the set value;

5. The key supplementing method based on the symmetric key pool according to claim 3, wherein the passive supplementing party judges whether to perform pre-supplementation in such a way as to judge the reasonability of the key supplementing requirement, and if any one of the following conditions is met, the key supplementing requirement is judged to be unreasonable, and a failed supplementing response is sent to the active supplementing party:

(b) the supplementary area is smaller than the set value;

6. The method of claim 5, wherein the passive side is configured with a key source, and the pre-supplementation includes applying for a true random number key of a required length from the key source by the passive side and storing the true random number key in a cache of the passive side.

7. The symmetric-key-pool-based key supplement method as defined in claim 6, wherein the passive supplementing party further calculates a hash value of the true random number key, and in response, the key supplement information further includes the hash value.

8. The symmetric-key-pool-based key supplement method of claim 7, wherein the passive supplement party further sends the true random number key applied to the active supplement party in a ciphertext manner after the pre-supplement is completed.

9. The method of claim 8, wherein the true random number key is encrypted by one-time pad encryption or a general symmetric encryption algorithm.

10. The key supplement method based on the symmetric key pool as claimed in claim 8, wherein the active supplement party performs decryption and authentication after receiving the supplement response, and further analyzes the supplement response if the authentication is successful;

if the supplementary response is a failed supplementary response, the active supplementary party reports the supplementary failure of the application layer, and the process is ended;

11. The method for supplementing keys based on a symmetric key pool according to claim 10, wherein the active supplementing party performs corresponding decryption and storage in the cache after receiving the true random number key from the passive supplementing party;

12. The key supplementing method based on the symmetric key pool as claimed in claim 11, wherein the passive supplementing party receives the supplement feedback, decrypts and analyzes the supplement feedback, and if the supplement feedback is failed, the passive supplementing party abandons the execution of the supplement operation and reports the supplement failure of the application layer;

13. A key supplement apparatus based on a symmetric key pool as an active supplement, comprising a processor and a memory, wherein the memory is used for storing the following instructions and loaded and executed by the processor:

when a supplement request loss exception occurs:

when the supplement feedback loss abnormity occurs:

when a loss of supplemental response anomaly occurs:

when the passive supplementing party is triggered to supplement for the next time, sending a supplementing response of supplementing abnormity to the opposite party, and after the opposite party receives the supplementing response, regenerating a supplementing request by using a key supplementing requirement in the incomplete last supplementing flow to continue the incomplete last supplementing flow;

14. A key supplement apparatus based on a symmetric key pool as a passive complement party, comprising a processor and a memory, wherein the memory is configured to store instructions and to be loaded and executed by the processor:

the symmetric key pool is controlled and supplemented by a key supplement module, the key supplement module comprises key supplement control information and a key supplement algorithm module, the key supplement control information of an active supplement party is C, and the key supplement control information of a passive supplement party is C';

when C is not empty; when C' is empty, judging that the supplement request is lost and abnormal, and performing the following abnormal processing:

when C is empty and C' is not empty, judging that the supplementary feedback is lost and processing the following exceptions:

when C is not empty; and if C' is not empty, judging that the supplementary response is lost and abnormal, and performing the following abnormal processing:

15. A key supplement system comprising the symmetric key pool-based key supplement apparatus of claim 13 as an active replenisher and the symmetric key pool-based key supplement apparatus of claim 14 as a passive replenisher.