CN108337084A - A kind of key distribution system, method and device - Google Patents

A kind of key distribution system, method and device Download PDF

Info

Publication number
CN108337084A
CN108337084A CN201710051861.6A CN201710051861A CN108337084A CN 108337084 A CN108337084 A CN 108337084A CN 201710051861 A CN201710051861 A CN 201710051861A CN 108337084 A CN108337084 A CN 108337084A
Authority
CN
China
Prior art keywords
encryption
session key
relaying
key
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710051861.6A
Other languages
Chinese (zh)
Inventor
马冰珂
刘福文
阎军智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710051861.6A priority Critical patent/CN108337084A/en
Publication of CN108337084A publication Critical patent/CN108337084A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0858Details about key distillation or coding, e.g. reconciliation, error correction, privacy amplification, polarisation coding or phase coding

Abstract

This application involves mobile communication technology field more particularly to a kind of key distribution system, method and devices, to solve the problems, such as that session key is easy leakage when conversating cipher key delivery by relaying in the prior art;Key distribution system provided by the embodiments of the present application includes:Transmitting terminal is used to generate session key after confirming that needs conversate with receiving terminal;One be sent in N number of relaying after session key the first encryption of progress is relayed according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal;Session key after first encryption is sent to receiving terminal or next stage relays by N number of relaying for the session key after receiving the first encryption that transmitting terminal or upper level relaying are sent;Receiving terminal is used to receive the session key after the first encryption that a relaying in N number of relaying is sent, and is decrypted to obtain session key according to the first shared key and the first decipherment algorithm corresponding with the first Encryption Algorithm negotiated in advance.

Description

A kind of key distribution system, method and device
Technical field
This application involves field of communication technology more particularly to a kind of key distribution system, method and devices.
Background technology
Currently, quantum secret communication is the higher safety communication technology of safety, include mainly being based on quantum net The session key distribution of network and two step of encrypted data transmission based on traditional network, wherein session key distribution is quantum secure The committed step of communication.
In the prior art, it is relayed to realize that the session key distribution of long range usually requires to introduce in quantum network. It introduces after relaying, for quantum network during the session key to session both sides is distributed, each relaying can Session key is obtained, in this way, if there is insincere relaying, attacker can obtain the session key of session both sides easily, And then steal the communication data of session both sides.
As it can be seen that for communicating pair when conversating cipher key delivery by relaying, there is session key appearances in the prior art The problem of easily revealing.
Invention content
A kind of key distribution system of the embodiment of the present application offer, method and device, it is double to solve to communicate in the prior art Side by relaying conversate cipher key delivery when, existing session key be easy leakage the problem of.
A kind of key distribution system provided by the embodiments of the present application, including:Transmitting terminal, N number of relaying and receiving terminal, N are big In or equal to 1 integer, wherein;
Transmitting terminal, for after confirming that needs conversate with receiving terminal, generating session key;According between receiving terminal The first shared key and the first Encryption Algorithm negotiated in advance carry out the first encryption to the session key, by the first encryption Treated, and session key is sent to a relaying in N number of relaying;
N number of relaying, the upper level for receiving transmitting terminal or the relaying relay the session after the first encryption sent Key, and the next stage that the session key after first encryption is sent to receiving terminal or is sent to the relaying relays;
Receiving terminal, the session key after the first encryption for receiving one in N number of relaying relaying transmission, According to the first shared key and the first decipherment algorithm corresponding with the first Encryption Algorithm negotiated in advance, after the first encryption Session key be decrypted, obtain session key, conversate with transmitting terminal to be based on the session key.
Optionally, transmitting terminal is specifically used for:
It is shared according to negotiate in advance between the first relaying second after the session key after obtaining the first encryption Key and the second Encryption Algorithm are sent to this after carrying out the second encryption to the session key after the first encryption of progress First relaying;Wherein, the first relaying is a relaying of the session key for receiving transmitting terminal transmission in N number of relaying;
Any relaying in N number of relaying is specifically used for:
Session key after the progress encryption twice sent to transmitting terminal or upper level relaying is decrypted, and obtains the Session key after one encryption;Be sent to after session key after first encryption is encrypted receiving terminal or The next stage of the relaying relays;
Receiving terminal is additionally operable to:
Before session key after first encryption is decrypted, the progress of (N)-relay transmission is being received twice After session key after encryption, add according to the N+2 shared keys negotiated in advance between the (N)-relay and with N+2 The corresponding N+2 decipherment algorithms of close algorithm carry out N+2 decryption processings to carrying out the session key after N+2 encryptions, obtain To the session key for carrying out the first encryption;Wherein, wherein (N)-relay is in N number of relaying for being sent to the receiving terminal One relaying of session key.
A kind of cryptographic key distribution method provided by the embodiments of the present application, including:
Transmitting terminal generates session key after confirming that needs conversate with receiving terminal;
The is carried out to session key according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal One encryption;
Session key after first encryption is sent to the first relaying, it will be at the first encryption will pass through the first relaying Session key after reason is sent to receiving terminal.
Optionally, the session key after the first encryption is sent to the first relaying, including:
According to the second shared key and the second Encryption Algorithm negotiated in advance between the first relaying to carrying out the first encryption After session key the second encryption of progress that treated, it is sent to the first relaying, so that first relaying will be at the second encryption Session key after reason is sent to receiving terminal, or so that first relaying is relayed by other by the session after the second encryption Key is sent to receiving terminal.
Another cryptographic key distribution method provided by the embodiments of the present application, including:
Receiving terminal receives the session key after the first encryption that (N)-relay is sent;Wherein, the first encryption refers to Transmitting terminal is close according to the session that the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal generate itself The encryption that key carries out;N indicates the relaying number undergone when the session key of transmitting terminal is transmitted to receiving terminal, to be more than Or the integer equal to 1;
According to the first shared key and the first decipherment algorithm corresponding with the first Encryption Algorithm negotiated in advance, add to first Close treated that session key is decrypted, and obtains session key, conversates with transmitting terminal to be based on the session key.
Optionally, before the session key after the first encryption being decrypted, further include:
According to the N+2 shared keys and N+2 corresponding with N+2 Encryption Algorithm negotiated in advance between (N)-relay Decipherment algorithm carries out N+2 decryption processings to the session key after progress N+2 encryptions, obtains carrying out at the first encryption The session key of reason.
A kind of key distribution device provided by the embodiments of the present application, including:
Generation module, for after confirming that needs conversate with receiving terminal, generating session key;
Encrypting module, for according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal to meeting It talks about key and carries out the first encryption;
Sending module, for the session key after the first encryption to be sent to the first relaying, will pass through in first After the session key after first encryption is sent to receiving terminal.
Optionally, sending module is specifically used for:
According to the second shared key and the second Encryption Algorithm negotiated in advance between the first relaying to carrying out the first encryption After session key the second encryption of progress that treated, it is sent to the first relaying, so that first relaying will be at the second encryption Session key after reason is sent to receiving terminal, or so that first relaying is relayed by other by the session after the second encryption Key is sent to receiving terminal.
Another key distribution device provided by the embodiments of the present application, including:
Receiving module, the session key after the first encryption for receiving (N)-relay transmission;First encryption is Refer to the session that transmitting terminal generates itself according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal The encryption that key carries out;Wherein, N indicates the relaying undergone when the session key of transmitting terminal is transmitted to receiving terminal Number, for the integer more than or equal to 1;
Deciphering module, for according to the first shared key and the first decryption corresponding with the first Encryption Algorithm negotiated in advance Algorithm is decrypted the session key after the first encryption, obtains session key, to be based on the session key and to send End conversates.
Optionally, deciphering module is additionally operable to:
According to the N+2 shared keys and N+2 corresponding with N+2 Encryption Algorithm negotiated in advance between (N)-relay Decipherment algorithm carries out N+2 decryption processings to the session key after progress N+2 encryptions, obtains carrying out at the first encryption The session key of reason.
Key distribution system provided by the embodiments of the present application, transmitting terminal generate after confirming that needs conversate with receiving terminal Session key carries out first to session key according to the first shared key and the first Encryption Algorithm negotiated in advance with receiving terminal and adds After close processing, one be sent in N number of relaying relays;N number of relaying is relayed for receiving the upper level of transmitting terminal or the relaying Session key after the first encryption sent, and send it to receiving terminal or next stage relaying;Receiving terminal is for receiving N Session key after the first encryption that a relaying in a relaying is sent, and add according to the first shared key and with first Corresponding first decipherment algorithm of close algorithm, is decrypted the session key after the first encryption to obtain session key, in turn It conversates with transmitting terminal.In the embodiment of the present application, transmitting terminal can use first before transmitting session key to relaying The session key is encrypted in shared key and higher first Encryption Algorithm of security level, in this way, the first relaying is (straight Receive the relaying of transmitting terminal session key) what is received is the session key after transmitting terminal is encrypted, the relaying is not Know the first shared key used in transmitting terminal, can not also obtain the information of the first Encryption Algorithm, therefore transmission can not be obtained The session key information of transmission is held, and follow-up each relay transmission is that transmitting terminal carries out the meeting after first time encryption Key is talked about, the session key of transmitting terminal can not be obtained, therefore can ensure the safety of session key.In addition, even if in the presence of Insincere relaying, attacker can only also obtain the session key after the first encryption, and can not obtain communication pair by relaying The session key of side.
Description of the drawings
Fig. 1 is key distribution system schematic diagram provided by the embodiments of the present application;
Fig. 2 is that transmitting terminal provided by the embodiments of the present application is relayed by N number of by the process of session cipher key delivery to receiving terminal Schematic diagram;
Fig. 3 is Three Party Communication schematic diagram provided by the embodiments of the present application;
Fig. 4 is multi-party communication schematic diagram provided by the embodiments of the present application;
Fig. 5 is cryptographic key distribution method flow chart provided by the embodiments of the present application;
Fig. 6 is another cryptographic key distribution method flow chart provided by the embodiments of the present application;
Fig. 7 is key distribution device structure chart provided by the embodiments of the present application;
Fig. 8 is another key distribution device structure chart provided by the embodiments of the present application.
Specific implementation mode
Key distribution system provided by the embodiments of the present application, transmitting terminal generate after confirming that needs conversate with receiving terminal Session key carries out first to session key according to the first shared key and the first Encryption Algorithm negotiated in advance with receiving terminal and adds After close processing, one be sent in N number of relaying relays;N number of relaying is relayed for receiving the upper level of transmitting terminal or the relaying Session key after the first encryption sent, and send it to receiving terminal or next stage relaying;Receiving terminal is for receiving N Session key after the first encryption that a relaying in a relaying is sent, and add according to the first shared key and with first Corresponding first decipherment algorithm of close algorithm, is decrypted the session key after the first encryption to obtain session key, in turn It conversates with transmitting terminal.In the embodiment of the present application, transmitting terminal can use first before transmitting session key to relaying The session key is encrypted in shared key and higher first Encryption Algorithm of security level, in this way, the first relaying connects What is received is session key after transmitting terminal is encrypted, which is not aware that used in transmitting terminal that first is shared close Key can not also obtain the information of the first Encryption Algorithm, therefore can not obtain the session key information of transmitting terminal transmission, and follow-up Each relay transmission is that transmitting terminal carries out the session key after first time encryption, can not obtain the session of transmitting terminal Key, therefore can ensure the safety of session key.In addition, even if there are can only obtain if insincere relaying attacker Session key after one encryption, and the session key of communicating pair can not be obtained by relaying.
Embodiment one
As shown in Figure 1, be key distribution system schematic diagram 10 provided by the embodiments of the present application, including:Transmitting terminal, it is N number of in After and receiving terminal, N be integer more than or equal to 1, wherein;
Transmitting terminal, for after confirming that needs conversate with receiving terminal, generating session key;According between receiving terminal The first shared key and the first Encryption Algorithm negotiated in advance carry out the first encryption to session key, by the first encryption Session key afterwards is sent to a relaying in N number of relaying.
Here, transmitting terminal can pass through physical noise source, pseudo random number is sent out after confirming that needs conversate with receiving terminal The modes such as raw device, stream cipher generate session key.
Optionally, the distribution of the first shared key can be by safeguarding public private key pair, number between transmitting terminal and receiving terminal Certificate, Diffie-Hellman Key Exchange Protocol, internet protocol security (Internet Protocol Security, IPSec), the keys exchanged form such as internet key exchange protocol (Internet Key Exchange, IKE) is realized.Here, In view of the long-term safety of shared key, transmitting terminal and receiving terminal can also pass through the rear quantum such as multivariable password, lattice password The first shared key of cryptographic technique pair of safety is distributed, even because also not found under quantum calculation model at present For effective attack pattern of these cryptographic techniques, generally believe that these emerging cryptographic techniques are capable of providing long-term can be used in the industry Property and safety.
In addition, the first Encryption Algorithm can utilize symmetric cryptography, such as Advanced Encryption Standard (Advanced Encryption Standard:AES)-cipher block chaining (Cipher-block chaining, CBC) higher algorithm of equal strength realizes, It can also be realized using the cryptographic technique of the rear quantum safety such as multivariable password, lattice password, to ensure to add session key Close intensity.Wherein, the first Encryption Algorithm relaying can not obtain, with this come ensure attacker can not by relay the meeting of being truncated to Talk about key.
In specific implementation process, transmitting terminal after the session key after obtaining the first encryption, can also according to The second shared key and the second Encryption Algorithm negotiated in advance between first relaying, it is close to the session after the first encryption of progress After key carries out the second encryption, it is sent to first relaying;Wherein, the first relaying is in N number of relaying for receiving transmitting terminal The relaying of the session key of transmission.
N number of relaying, the upper level for receiving transmitting terminal or the relaying relay the session after the first encryption sent Key, and the next stage that the session key after first encryption is sent to receiving terminal or is sent to the relaying relays.
Optionally, transmitting terminal is relayed with the relaying of reception session key, the superior and the subordinate, is sent in session key to receiving terminal After the shared key of oneself can be established between receiving terminal by quantum network, to ensure after carrying out the first encryption Session key reliably can be transmitted to receiving terminal from transmitting terminal.Wherein, transmitting terminal and relaying, the superior and the subordinate for receiving session key Relaying sends between the relaying and receiving terminal of session key that the shared key established respectively can be identical to receiving terminal, can also Difference does not limit herein
In specific implementation process, carry out two of any relaying to transmitting terminal or upper level relaying transmission in N number of relaying Session key after secondary encryption is decrypted, and obtains the session key after the first encryption, further, adds to first It is close that treated is sent to receiving terminal or the next stage relaying of the relaying after session key is encrypted.
Receiving terminal, the session key after the first encryption for receiving one in N number of relaying relaying transmission, according to And the first shared key of transmitting terminal negotiation and the first decipherment algorithm corresponding with the first Encryption Algorithm in advance, at the first encryption Session key after reason is decrypted, and obtains session key, conversates with transmitting terminal to be based on the session key.
Optionally, before the session key after the first encryption of receiving terminal pair is decrypted, (N)-relay hair is being received After session key after the progress encryption twice sent, it can also be total to according to the N+2 negotiated in advance between the (N)-relay Enjoy key and N+2 decipherment algorithms corresponding with N+2 Encryption Algorithm, to carry out N+2 encryptions after session key into Row N+2 decryption processings obtain the session key for carrying out the first encryption;Wherein, (N)-relay be N number of relaying in for Receiving terminal sends the relaying of session key.
In specific implementation process, the relaying number of transmission session key is different between transmitting terminal and receiving terminal, transmission The process of session key is different, is exemplified below.
Situation one:That is, there is a relaying in N=1.
In specific implementation process, it can execute according to the following steps:
1.1) transmitting terminal is after generating session key, according to the first shared key negotiated in advance between receiving terminal and One Encryption Algorithm carries out the first encryption to session key;Before being sent to relaying, further according to being assisted in advance between relaying The second shared key and the second Encryption Algorithm of quotient carries out at the second encryption the session key after the first encryption of progress Session key after the second encryption of progress is sent to relaying by reason.
1.2) the second shared key and corresponding with the second Encryption Algorithm second that relaying basis and transmitting terminal are negotiated in advance Decipherment algorithm carries out the second decryption processing to the session key after the second encryption of progress, obtains carrying out the first encryption Session key, then further according to the third shared key and third Encryption Algorithm negotiated in advance between receiving terminal, to carrying out Session key after first encryption carries out third encryption, and the session key after progress third encryption is sent to Receiving terminal.
1.3) receiving terminal is corresponding according to the third shared key negotiated in advance between the relaying and with third Encryption Algorithm Third decipherment algorithm, to carry out third encryption after session key carry out third decryption processing, obtain carry out first plus The session key of close processing, further according to and the first shared key and corresponding with the first Encryption Algorithm for negotiating in advance of receiving terminal The session key after the first encryption of progress is decrypted in one decipherment algorithm, obtains session key, and then be based on the session Key is communicated with transmitting terminal.
Situation two:N=2, that is, exist two relaying, it is assumed that be respectively first relaying and second relaying, for ease of description with Lower abbreviation relaying 1 and relaying 2.
In specific implementation process, it can execute according to the following steps:
2.1) transmitting terminal is after generating session key, according to the first shared key negotiated in advance between receiving terminal and One Encryption Algorithm carries out the first encryption to session key;Before being sent to relaying 1, further according to advance between relaying 1 The second shared key and the second Encryption Algorithm negotiated carry out at the second encryption the session key after the first encryption of progress Session key after the second encryption of progress is sent to relaying 1 by reason.
2.2) the second shared key and corresponding with the second Encryption Algorithm second that 1 basis of relaying and transmitting terminal are negotiated in advance Decipherment algorithm carries out the second decryption processing to the session key after the second encryption of progress, obtains carrying out the first encryption Session key, then further according to the third shared key negotiated in advance and third Encryption Algorithm between relaying 2, to carrying out the Session key after one encryption carries out third encryption, during the session key after progress third encryption is sent to After 2.
2.3) the third shared key and third corresponding with third Encryption Algorithm that 2 basis of relaying and relaying 1 are negotiated in advance Decipherment algorithm carries out third decryption processing to the session key after progress third encryption, obtains carrying out the first encryption Session key, then further according to the 4th shared key negotiated in advance between receiving terminal and the 4th Encryption Algorithm, to carrying out Session key after first encryption carries out the 4th encryption, and the session key after the 4th encryption of progress is sent to Receiving terminal.
2.4) receiving terminal is according to the 4th shared key negotiated in advance between relaying 2 and corresponding with the 4th Encryption Algorithm 4th decipherment algorithm carries out the 4th decryption processing to the session key after the 4th encryption of progress, obtains carrying out the first encryption The session key of processing, further according to and the first shared key and corresponding with the first Encryption Algorithm first for negotiating in advance of receiving terminal The session key after the first encryption of progress is decrypted in decipherment algorithm, obtains session key, and then close based on the session Key is communicated with transmitting terminal.
Situation three:N>2, i.e., it is relayed in the presence of three or more.
As shown in Fig. 2, passing through N (N for transmitting terminal>2) a to relay the schematic diagram of session cipher key delivery to receiving terminal.Assuming that The first shared key negotiated in advance between transmitting terminal and receiving terminal is K, and the session key that transmitting terminal generates is Ks, and F indicates the One Encryption Algorithm, G indicate decipherment algorithm corresponding with the first Encryption Algorithm.The shared key negotiated between transmitting terminal and relaying 1 For K1, the shared key negotiated is K between relaying 1 and relaying 22... relaying the shared key negotiated between N-1 and relaying N is Kn, the shared key negotiated is K between relaying N and receiving terminaln+1.Transmitting terminal and relaying 1, relaying 1 and relaying are assumed simultaneously 2 ... the Encryption Algorithm P negotiated between relaying N-1 and relaying N, relaying N and receiving terminal is identical, and Q is that decryption corresponding with P is calculated Method.Here, P, Q can be realized using AES-CBC algorithms, can also be realized using fairly simple logical operation, such as with, Exclusive or etc..
In specific implementation process, it can execute according to the following steps:
3.1) transmitting terminal carries out the first encryption after generating Ks using Kt=F (Ks, K), obtains carrying out the first encryption Treated session key Kt before Kt is sent to relaying 1, recycles K1t=P (Kt, K1) the second encryption is carried out to Kt Obtain K1t, by K1tIt is sent to relaying 1.
3.2) relaying 1 receives K1tAfterwards, Kt=Q (K are utilized1t, K1) to K1tBe decrypted to obtain Kt, then further according to K2t=P (Kt, K2) Kt is encrypted to obtain K2t, by K2tIt is sent to relaying 2.
3.3) relaying 2 executes according to the following steps to relaying N-1.
A) relaying j (2≤j≤N-1) receives higher level and relays the K sentjt, utilize Kt=Q (Kjt,Kj) to KjtIt is decrypted Obtain Kt.
B) relaying j recycles K(j+1)t=P (Kt, Kj+1) Kt is encrypted to obtain K(j+1)t, by K(j+1)tIt is sent to subordinate Relaying.
3.4) relaying N receives the K that relaying N-1 is sentntAfterwards, Kt=Q (K are utilizednt,Kn) to KntIt is decrypted to obtain Kt, Utilize K(n+1)t=P (Kt, Kn+1) Kt is encrypted to obtain K(n+1)t, by K(n+1)tIt is sent to receiving terminal.
3.50 receiving terminals receive K(n+1)tAfterwards, Kt=Q (K are utilized(n+1)t,Kn+1) to K(n+1)tIt is decrypted to obtain Kt, then Kt is decrypted using Ks=G (Kt, K) to obtain Ks.
In addition, as shown in figure 3, method provided by the embodiments of the present application and Elliptic Curve Cryptography (Elliptic Curve Cryptography, ECC) it is combined the distribution of the first shared key between communication tripartite (A, B, C) may be implemented.Such as Fig. 4 institutes Show, method provided by the embodiments of the present application is combined with polyteny equity cryptography cutting edge technology and may be implemented in many ways end to end Session key distribution, at this point, can be rapidly completed between multiple communication entities (A, B, C, D ...) using polyteny peer to peer technology Without holding consultation two-by-two, while there is amount reachable mutually between this multiple communication entity in the negotiation of one shared key When sub-network, so that it may to realize the distribution to multi-party end-to-end conversation cryptographic key based on Quantum Secure Communication.
Key distribution system provided by the embodiments of the present application, transmitting terminal generate after confirming that needs conversate with receiving terminal Session key carries out first to session key according to the first shared key and the first Encryption Algorithm negotiated in advance with receiving terminal and adds After close processing, one be sent in N number of relaying relays;N number of relaying is relayed for receiving the upper level of transmitting terminal or the relaying Session key after the first encryption sent, and send it to receiving terminal or next stage relaying;Receiving terminal is for receiving N Session key after the first encryption that a relaying in a relaying is sent, and add according to the first shared key and with first Corresponding first decipherment algorithm of close algorithm, is decrypted the session key after the first encryption to obtain session key, in turn It conversates with transmitting terminal.In the embodiment of the present application, transmitting terminal can use first before transmitting session key to relaying The session key is encrypted in shared key and higher first Encryption Algorithm of security level, in this way, the first relaying connects What is received is session key after transmitting terminal is encrypted, which is not aware that used in transmitting terminal that first is shared close Key can not also obtain the information of the first Encryption Algorithm, therefore can not obtain the session key information of transmitting terminal transmission, in addition, the One relaying and it is subsequent it is each relaying transmit carry out first time encryption after session key during, can also to its into Row is encrypted again, to better ensure that the session that any relaying can not all obtain transmitting terminal during transmitting session key is close Key, and then ensure the safety of session key.
Embodiment two
As shown in figure 5, being cryptographic key distribution method flow chart provided by the embodiments of the present application, include the following steps:
S501:Transmitting terminal generates session key after confirming that needs conversate with receiving terminal.
S502:According to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal to session key into The first encryption of row.
S503:Session key after first encryption is sent to the first relaying, will pass through the first relaying by first Session key after encryption is sent to receiving terminal.
Optionally, before the session key after the first encryption being sent to the first relaying, transmitting terminal can also basis The second shared key and the second Encryption Algorithm negotiated in advance between the first relaying are to the session after carrying out the first encryption After key carries out the second encryption, it is sent to the first relaying, so that first relaying is close by the session after the second encryption Key is sent to receiving terminal, or is connect so that the session key after the second encryption is sent to by first relaying by other relayings Receiving end.
As shown in fig. 6, being another cryptographic key distribution method flow chart provided by the embodiments of the present application, include the following steps:
S601:Receiving terminal receives the session key after the first encryption that (N)-relay is sent.
Here, the first encryption refers to transmitting terminal according to the first shared key negotiated in advance between receiving terminal and The encryption that one Encryption Algorithm carries out the session key itself generated;The session key of transmitting terminal is transmitted to by N expressions to be connect The relaying number undergone when receiving end, for the integer more than or equal to 1.
S602:It is right according to the first shared key and the first decipherment algorithm corresponding with the first Encryption Algorithm negotiated in advance Session key after first encryption is decrypted, and obtains session key, is carried out with transmitting terminal to be based on the session key Session.
Optionally, before the session key after the first encryption being decrypted, receiving terminal can also according to in N The N+2 shared keys negotiated in advance between and N+2 decipherment algorithms corresponding with N+2 Encryption Algorithm, to carrying out N+2 Session key after encryption carries out N+2 decryption processings, obtains the session key for carrying out the first encryption.
Embodiment three
Based on same inventive concept, a kind of key point corresponding with cryptographic key distribution method is additionally provided in the embodiment of the present application Transmitting apparatus, since the principle that the device solves the problems, such as is similar to the embodiment of the present application cryptographic key distribution method, the reality of the device The implementation for the method for may refer to is applied, overlaps will not be repeated.
As shown in fig. 7, be 70 structure chart of key distribution device provided by the embodiments of the present application, including:
Generation module 701, for after confirming that needs conversate with receiving terminal, generating session key;
Encrypting module 702, for according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal First encryption is carried out to session key;
Sending module 703, for the session key after the first encryption to be sent to the first relaying, will pass through first Session key after first encryption is sent to receiving terminal by relaying.
Optionally, sending module 703 is specifically used for:
According to the second shared key and the second Encryption Algorithm negotiated in advance between the first relaying to carrying out the first encryption After session key the second encryption of progress that treated, it is sent to the first relaying, so that first relaying will be at the second encryption Session key after reason is sent to receiving terminal, or so that first relaying is relayed by other by the session after the second encryption Key is sent to receiving terminal.
As shown in figure 8, be 80 structure chart of another key distribution device provided by the embodiments of the present application, including:
Receiving module 801, the session key after the first encryption for receiving (N)-relay transmission;At first encryption Reason refers to that transmitting terminal generates itself according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal The encryption that session key carries out;Wherein, N indicates the relaying undergone when the session key of transmitting terminal is transmitted to receiving terminal Number, for the integer more than or equal to 1;
Deciphering module 802, for according to the first shared key and corresponding with the first Encryption Algorithm first negotiated in advance Decipherment algorithm is decrypted the session key after the first encryption, obtains session key, so as to be based on the session key with Transmitting terminal conversates.
Optionally, deciphering module 802 is additionally operable to:
According to the N+2 shared keys and N+2 corresponding with N+2 Encryption Algorithm negotiated in advance between (N)-relay Decipherment algorithm carries out N+2 decryption processings to the session key after progress N+2 encryptions, obtains carrying out at the first encryption The session key of reason.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The application is flow of the reference according to method, apparatus (system) and computer program product of the embodiment of the present application Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although the preferred embodiment of the application has been described, created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the application range.
Obviously, those skilled in the art can carry out the application essence of the various modification and variations without departing from the application God and range.In this way, if these modifications and variations of the application belong to the range of the application claim and its equivalent technologies Within, then the application is also intended to include these modifications and variations.

Claims (10)

1. a kind of key distribution system, which is characterized in that including:Transmitting terminal, N number of relaying and receiving terminal, N are more than or equal to 1 Integer, wherein;
The transmitting terminal, for after confirming that needs conversate with the receiving terminal, generating session key;According to receiving terminal Between the first shared key for negotiating in advance and the first Encryption Algorithm the first encryption is carried out to the session key, by first Session key after encryption is sent to a relaying in N number of relaying;
N number of relaying, after the upper level for receiving the transmitting terminal or the relaying relays the first encryption sent Session key, and the session key after first encryption is sent to receiving terminal or is sent in the next stage of the relaying After;
The receiving terminal, the session key after the first encryption for receiving one in N number of relaying relaying transmission, According to first shared key negotiated in advance and the first decipherment algorithm corresponding with first Encryption Algorithm, to described Session key after one encryption is decrypted to obtain the session key.
2. the system as claimed in claim 1, which is characterized in that the transmitting terminal is specifically used for:
It is shared according to negotiate in advance between the first relaying second after the session key after obtaining first encryption Key and the second Encryption Algorithm are sent after carrying out the second encryption to the session key after progress first encryption Give first relaying;First relaying is one for receiving the session key that the transmitting terminal is sent in N number of relaying A relaying;
Any relaying in N number of relaying is specifically used for:
Session key after the progress encryption twice sent to the transmitting terminal or upper level relaying is decrypted, and obtains institute State the session key after the first encryption;It is sent to after session key after first encryption is encrypted The next stage of the receiving terminal or the relaying relays;
The receiving terminal is additionally operable to:
Before session key after first encryption is decrypted, the progress of (N)-relay transmission is being received twice After session key after encryption, add according to the N+2 shared keys negotiated in advance between the (N)-relay and with N+2 The corresponding N+2 decipherment algorithms of close algorithm carry out N+2 decryption processings to carrying out the session key after N+2 encryptions, obtain To the session key for carrying out the first encryption;Wherein, the (N)-relay is to be used for the receiving terminal in N number of relaying Send a relaying of session key.
3. a kind of cryptographic key distribution method, which is characterized in that including:
Transmitting terminal generates session key after confirming that needs conversate with receiving terminal;
The is carried out to the session key according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal One encryption;
Session key after first encryption is sent to the first relaying.
4. method as claimed in claim 3, which is characterized in that the session key by after the first encryption is sent to One relaying, including:
According to the second shared key and the second Encryption Algorithm negotiated in advance between first relaying to carrying out described first After session key after encryption carries out the second encryption, it is sent to first relaying.
5. a kind of cryptographic key distribution method, which is characterized in that including:
Receiving terminal receives the session key after the first encryption that (N)-relay is sent;First encryption refers to described Transmitting terminal is close according to the session that the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal generate itself The encryption that key carries out;Wherein, in being undergone when the session key of the transmitting terminal is transmitted to the receiving terminal by N expressions After number, for the integer more than or equal to 1;
According to first shared key negotiated in advance and the first decipherment algorithm corresponding with first Encryption Algorithm, to institute It states the session key after the first encryption to be decrypted, obtains the session key.
6. method as claimed in claim 5, which is characterized in that the session key after first encryption is decrypted Before, further include:
According to the N+2 shared keys and N+2 corresponding with N+2 Encryption Algorithm negotiated in advance between the (N)-relay Decipherment algorithm carries out N+2 decryption processings to the session key after progress N+2 encryptions, obtains carrying out at the first encryption The session key of reason.
7. a kind of key distribution device, which is characterized in that including:
Generation module, for after confirming that needs conversate with receiving terminal, generating session key;
Encrypting module, for according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal to the meeting It talks about key and carries out the first encryption;
Sending module, for the session key after the first encryption to be sent to the first relaying.
8. device as claimed in claim 7, which is characterized in that the sending module is specifically used for:
According to the second shared key and the second Encryption Algorithm negotiated in advance between first relaying to carrying out described first After session key after encryption carries out the second encryption, it is sent to first relaying.
9. a kind of cryptographic key distribution method device, which is characterized in that including:
Receiving module, the session key after the first encryption for receiving (N)-relay transmission;First encryption is Refer to what the transmitting terminal generated itself according to the first shared key and the first Encryption Algorithm negotiated in advance between receiving terminal The encryption that session key carries out;Wherein, it is passed through when the session key of the transmitting terminal is transmitted to the receiving terminal by N expressions The relaying number gone through, for the integer more than or equal to 1;
Deciphering module, for according to first shared key negotiated in advance and with first Encryption Algorithm corresponding first Decipherment algorithm is decrypted the session key after first encryption, obtains the session key.
10. device as claimed in claim 9, which is characterized in that the deciphering module is additionally operable to:
According to the N+2 shared keys and N+2 corresponding with N+2 Encryption Algorithm negotiated in advance between the (N)-relay Decipherment algorithm carries out N+2 decryption processings to the session key after progress N+2 encryptions, obtains carrying out at the first encryption The session key of reason.
CN201710051861.6A 2017-01-20 2017-01-20 A kind of key distribution system, method and device Pending CN108337084A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710051861.6A CN108337084A (en) 2017-01-20 2017-01-20 A kind of key distribution system, method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710051861.6A CN108337084A (en) 2017-01-20 2017-01-20 A kind of key distribution system, method and device

Publications (1)

Publication Number Publication Date
CN108337084A true CN108337084A (en) 2018-07-27

Family

ID=62921945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710051861.6A Pending CN108337084A (en) 2017-01-20 2017-01-20 A kind of key distribution system, method and device

Country Status (1)

Country Link
CN (1) CN108337084A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900552A (en) * 2018-08-16 2018-11-27 北京海泰方圆科技股份有限公司 Cryptographic key distribution method and device, key acquisition method and device
CN111404672A (en) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 Quantum key distribution method and device
CN112242977A (en) * 2019-07-18 2021-01-19 深圳市文鼎创数据科技有限公司 Data transmission method and data transmission system
CN117254913A (en) * 2023-11-17 2023-12-19 央视频融媒体发展有限公司 Interactive data identification method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534236A (en) * 2008-03-11 2009-09-16 华为技术有限公司 Encryption method and device for relay station communication
US20090262942A1 (en) * 2008-04-22 2009-10-22 Nec Corporation Method and system for managing shared random numbers in secret communication network
CN102394745A (en) * 2011-11-15 2012-03-28 北京邮电大学 Quality of service realization method applied to quantum key distribution network
WO2012139174A1 (en) * 2011-04-15 2012-10-18 Quintessencelabs Pty Ltd Qkd key management system
CN102811440A (en) * 2011-06-03 2012-12-05 苏州两江科技有限公司 Wireless sensor network safety transmission method based on watermarking technology
CN103905389A (en) * 2012-12-26 2014-07-02 华为终端有限公司 Relay equipment-based security association, data transmission method, device and system
CN105915337A (en) * 2016-05-27 2016-08-31 安徽问天量子科技股份有限公司 Quantum encryption microwave relay communication system and quantum encryption microwave relay communication method
US20160366115A1 (en) * 2015-06-09 2016-12-15 Verizon Patent And Licensing Inc. Call encryption systems and methods

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534236A (en) * 2008-03-11 2009-09-16 华为技术有限公司 Encryption method and device for relay station communication
US20090262942A1 (en) * 2008-04-22 2009-10-22 Nec Corporation Method and system for managing shared random numbers in secret communication network
WO2012139174A1 (en) * 2011-04-15 2012-10-18 Quintessencelabs Pty Ltd Qkd key management system
CN102811440A (en) * 2011-06-03 2012-12-05 苏州两江科技有限公司 Wireless sensor network safety transmission method based on watermarking technology
CN102394745A (en) * 2011-11-15 2012-03-28 北京邮电大学 Quality of service realization method applied to quantum key distribution network
CN103905389A (en) * 2012-12-26 2014-07-02 华为终端有限公司 Relay equipment-based security association, data transmission method, device and system
US20160366115A1 (en) * 2015-06-09 2016-12-15 Verizon Patent And Licensing Inc. Call encryption systems and methods
CN105915337A (en) * 2016-05-27 2016-08-31 安徽问天量子科技股份有限公司 Quantum encryption microwave relay communication system and quantum encryption microwave relay communication method

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900552A (en) * 2018-08-16 2018-11-27 北京海泰方圆科技股份有限公司 Cryptographic key distribution method and device, key acquisition method and device
CN111404672A (en) * 2019-01-02 2020-07-10 中国移动通信有限公司研究院 Quantum key distribution method and device
CN111404672B (en) * 2019-01-02 2023-05-09 中国移动通信有限公司研究院 Quantum key distribution method and device
CN112242977A (en) * 2019-07-18 2021-01-19 深圳市文鼎创数据科技有限公司 Data transmission method and data transmission system
CN117254913A (en) * 2023-11-17 2023-12-19 央视频融媒体发展有限公司 Interactive data identification method and device
CN117254913B (en) * 2023-11-17 2024-01-30 央视频融媒体发展有限公司 Interactive data identification method and device

Similar Documents

Publication Publication Date Title
JP5349619B2 (en) Identity-based authentication key agreement protocol
CN105306492B (en) A kind of asynchronous cryptographic key negotiation method and device for security instant communication
US20100042841A1 (en) Updating and Distributing Encryption Keys
CN106878016A (en) Data is activation, method of reseptance and device
Ahmed et al. Diffie-Hellman and its application in security protocols
CN109274502B (en) Method and device for creating public key encryption and key signature and readable storage medium
CN110087240B (en) Wireless network security data transmission method and system based on WPA2-PSK mode
Liu et al. Improved group off-the-record messaging
CN108337084A (en) A kind of key distribution system, method and device
CN113852460B (en) Implementation method and system for enhancing working key security based on quantum key
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN113242122B (en) Encryption method based on DH and RSA encryption algorithm
CN113014386B (en) Cryptographic system based on multiparty collaborative computing
CN108075879A (en) The method, apparatus and system of a kind of data encryption and decryption
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN109845184A (en) A kind of data ciphering method and device of instant messaging
CN108337087A (en) Diffie-Hellman Encryption Algorithm based on crypto vector and Fibonacci matrix
KR100456624B1 (en) Authentication and key agreement scheme for mobile network
JP2006140743A (en) Method for delivering common key
CN113242129B (en) End-to-end data confidentiality and integrity protection method based on lattice encryption
CN106330430B (en) A kind of third party's method of mobile payment based on NTRU
JP2006262425A (en) Mutual authentication on network by public key cryptosystem, and mutual exchange system of public key
WO2022185328A1 (en) System and method for identity-based key agreement for secure communication
CA3204279A1 (en) System and method for key establishment
CN110365482B (en) Data communication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180727