CN108462573B - Flexible quantum secure mobile communication method - Google Patents

Flexible quantum secure mobile communication method Download PDF

Info

Publication number
CN108462573B
CN108462573B CN201810132408.2A CN201810132408A CN108462573B CN 108462573 B CN108462573 B CN 108462573B CN 201810132408 A CN201810132408 A CN 201810132408A CN 108462573 B CN108462573 B CN 108462573B
Authority
CN
China
Prior art keywords
qkmc
qkd
mobile terminal
sub
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810132408.2A
Other languages
Chinese (zh)
Other versions
CN108462573A (en
Inventor
徐兵杰
陈晖�
黄伟
何远杭
樊矾
杨杰
刘金璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CETC 30 Research Institute
Original Assignee
CETC 30 Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CETC 30 Research Institute filed Critical CETC 30 Research Institute
Priority to CN201810132408.2A priority Critical patent/CN108462573B/en
Publication of CN108462573A publication Critical patent/CN108462573A/en
Application granted granted Critical
Publication of CN108462573B publication Critical patent/CN108462573B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a flexible quantum secure mobile communication method.A QKD node provides quantum basic key injection service for a mobile terminal, and a quantum key is negotiated between the QKD node and a QKMC through a QKD network; the QKMC distributes session keys among two or more mobile terminals; including a registration process and an online negotiation session key process. The invention has more flexible quantum key service and management modes: after the mobile terminal injects the quantum basic key once, the mobile terminal can obtain quantum key service at any QKD node, and can inject the quantum key service again at any QKD node after the quantum basic key is used up, so that the access is flexible; the whole process of obtaining the session key by the mobile terminal is quantum secure, and has higher security compared with other key distribution schemes of mobile application which need to adopt the traditional key negotiation technology; a quantum key management center is introduced to uniformly control the generation and negotiation of the user session key, so that the management with higher efficiency and full life cycle is realized.

Description

Flexible quantum secure mobile communication method
Technical Field
The invention relates to a flexible quantum secure mobile communication method.
Background
Under the background of rapid development of network space security technology, under the excitation of national relevant industrial policies, the Quantum communication industry mainly based on Quantum Key Distribution (QKD) network deployment and application system construction has stepped into the rapid development period. QKD is based on the principle of quantum mechanics and is the only key distribution that has been strictly proven unconditionally secure to date. The QKD is combined with a one-time pad encryption algorithm, so that the safety problem of data transmission can be fundamentally solved, and the QKD has important practical application value.
With the rapid development of mobile internet, mobile internet and mobile office have become a big trend. At the same time, the security challenges for mobile applications are becoming more severe. Enterprises and research institutions in the field of domestic quantum communication actively lay out technologies and patents combining quantum security and mobile application, and develop quantum security mobile application systems at a repeated point. The mobile application of quantum security has become one of the important directions for the application and popularization of QKD.
At present, the realization mode of using the quantum key generated by the QKD network to perform mobile secure communication application is mostly a quantum key relay or ciphertext relay mode, and has the problems of inconvenience for unified management and control and poor security (for example, the quantum key is mostly encrypted and forwarded by using the traditional password from the QKD network to a mobile terminal, and has no quantum security).
Disclosure of Invention
In order to overcome the above disadvantages of the prior art, the present invention provides a flexible quantum secure mobile communication method, which aims to solve the problems of uniform management and control of quantum keys, access flexibility of mobile terminals, and security of mobile applications in quantum secure mobile communication.
The technical scheme adopted by the invention for solving the technical problems is as follows: a flexible quantum secure mobile communication method, comprising the steps of:
step one, the mobile terminal registers and accesses the network, and the QKD node applies for obtaining QBK and establishes a service binding relationship list;
step two, the mobile terminal applies for a session key from the QKMC or the QKMC sub-center, and the QKMC or the QKMC sub-center searches a QKD node bound by the mobile terminal and sends a service instruction to the QKD node;
step three, the QKD node encrypts an QBK sub-key of the bound mobile terminal by respectively adopting a quantum key shared by the QKMC or the QKMC sub-center and sends the obtained encrypted data to the QKMC or the QKMC sub-center;
step four, the QKMC or the QKMC sub-center decrypts to obtain QBK sub-keys of the mobile terminal bound by the QKD node, generates a session key R, encrypts R by using each sub-key respectively and then transmits the R to the corresponding mobile terminal; each mobile terminal respectively decrypts to obtain R which is used as a session key of the communication;
and step five, deleting the used key data respectively by each QKD node and the mobile terminal bound by the QKD node, the QKMC or the QKMC sub-center, updating the service binding relation list, and updating the node state information by each QKD node.
Compared with the prior art, the invention has the following positive effects:
the invention has more flexible quantum key service and management mode and has the following three aspects of remarkable innovation:
(1) after the mobile terminal injects the quantum basic key once, the mobile terminal can obtain quantum key service at any QKD node, and can inject the quantum key service again at any QKD node after the quantum basic key is used up, so that the access is flexible;
(2) the whole process of obtaining the session key by the mobile terminal is quantum secure, and has higher security compared with other key distribution schemes of mobile application which need to adopt the traditional key negotiation technology;
(3) a quantum key management center is introduced to uniformly control the generation and negotiation of the user session key, so that the management with higher efficiency and full life cycle is realized.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a schematic diagram of a registration process of the method of the present invention;
FIG. 2 is a schematic diagram of the process of negotiating session keys online according to the method of the present invention;
FIG. 3 is a communication flow diagram of the method of the present invention;
FIG. 4 is a schematic diagram of group communication according to the method of the present invention;
FIG. 5 is a diagram illustrating different connection relationships between the QKD node and the QKMC according to the present invention;
FIG. 6 is a communication flow diagram according to the first embodiment;
FIG. 7 is a diagram illustrating a communication flow according to the second embodiment;
fig. 8 is a schematic communication flow chart according to the third embodiment;
FIG. 9 is a communication flow chart according to a fourth embodiment;
FIG. 10 is a schematic communication flow chart according to the fifth embodiment;
fig. 11 is a communication flow diagram according to a sixth embodiment;
fig. 12 is a schematic communication flow chart of the seventh embodiment;
fig. 13 is a schematic communication flow chart of the eighth embodiment;
fig. 14 is a schematic communication flow diagram according to the ninth embodiment.
Detailed Description
First, the system of the invention is composed
The invention provides a Quantum-safe mobile secret communication system, which comprises a QKD node, a mobile terminal, a Quantum Key Management Center (QKMC) and a QKMC sub-Center, wherein:
(1) the QKD node is composed of one or more sending ends and receiving ends of the quantum key distribution system (including but not limited to an end access node and a relay node of the QKD network) and provides quantum key distribution service; each QKD node can negotiate quantum keys with other QKD nodes that have available links, and can also negotiate quantum keys with the QKMC that has available links; the main roles of the QKD nodes include, but are not limited to: (a) allocating a quantum identity number for a registered mobile terminal; (b) providing quantum basic key injection service for the mobile terminal, and creating a service binding relationship list (including but not limited to a quantum identity number of the mobile terminal, an address of the QKD node with the binding relationship, and the allowance of the quantum basic key) between the mobile terminal and the QKD node; (c) uploading a service binding relation list to the QKMC or the QKMC sub-center to which the QKMC belongs; (d) responding to the instruction of the QKMC or the affiliated QKMC sub-center, the QKD node bound by the mobile terminal selects a sub-key of the corresponding quantum basic key according to the quantum identity number specified by the instruction, and the sub-key is encrypted by the quantum key and then sent to the QKMC or the affiliated QKMC sub-center.
(2) Mobile terminals, including but not limited to smart phones, tablet computers, notebook computers, mobile car-mounted devices or other software and hardware systems with mobile communication functions, are the initiator and the receiver of communication services. The mobile terminal is provided with a permanent storage device (including but not limited to a flash memory chip and an SD card), a hardware module capable of supporting network access, a QKD network information interaction capability and a data encryption and decryption processing computing capability. The mobile terminal can be connected nearby (including but not limited to adopting a USB or NFC interface) with a QKD node, a QKMC or a QKMC sub-center, performs network access registration, and imports a quantum basic key after the registration is successful; the mobile terminal can acquire quantum basic keys at a plurality of QKD nodes according to application requirements, and the QKMC selects an optimal service strategy according to the QKD network condition, or a user specifies to use the quantum basic keys acquired at a certain QKD node.
(3) The QKMC consists of a QKD node, a quantum network management system and a quantum key management and service system, and is used for providing quantum network management, quantum key management and session key distribution for the whole network.
The QKMC major functions include, but are not limited to:
(a) storing, maintaining and inquiring a service binding relation list between the mobile terminal and the corresponding QKD node; judging the legality of the relevant mobile terminal according to the received information;
(b) collecting state information of each QKD node (or QKMC sub-center) in real time by using network connection with other QKD nodes (or QKMC sub-centers), and sending instructions for quantum key relay, quantum key negotiation or sub-key reporting of quantum basic keys of a certain mobile terminal to each QKD node (or QKMC sub-center);
(c) maintaining network connection with each QKD node, summarizing current state indexes of each QKD node participating in session key agreement, and judging and specifying the QKD nodes participating in the session key agreement; the method for the QKMC to determine and specify the QKD node for session key agreement includes, but is not limited to: the QKMC obtains the address of the calling QKD node and the address of the called QKD node in the communication according to the related information of the calling mobile terminal and the called mobile terminal in the received request information and the binding relationship between the corresponding QKD node and the mobile terminal; and then queries and selects the best link between the calling QKD node and the called QKD node.
The basic strategy for selecting QKMC includes: (a) for a multi-level QKD network with a tree topology structure, a root node of the multi-level QKD network is used as a QKMC, and a key child node is used as a QKMC sub-center; (b) for a QKD network with an irregular topology, a core node of the QKD network is used as a QKMC, and a core node of an area subnet is used as a QKMC hub (the QKMC hubs are numbered according to a certain rule, and are denoted as QKMC _ i, for example).
(4) A QKMC hub, which is a management node in the QKD network that directly connects multiple QKD nodes (typically a central node of an area subnet in the QKD network); the QKMC sub-center provides session key distribution services to mobile terminals bound by QKD nodes specified by the authorization under the authorization of the QKMC.
Second, basic method
For convenience of description, the key involved in the scheme of the present invention is first explained, and the key involved in the scheme of the present invention mainly includes:
(1) quantum Basic Key (Quantum Basic Key, QBK): QBK shared between the QKD node and the mobile terminal is a true random number (including but not limited to a sequence of random numbers generated by a physical noise source such as a quantum random number generator) generated by the QKD node and directed to the mobile terminal; one part of a quantum basic key is used as a sub-key for each secret communication, the sub-key is used for negotiating a session key, and the sub-key is deleted after being used once; after the quantum basic key is used up, the mobile terminal selects one QKD node nearby for refilling (including but not limited to refilling by adopting USB and NFC interfaces).
(2) Quantum Key (Quantum Key, QK): a quantum key shared between the QKD node and the QKMC, or other QKD nodes, generated by a QKD link connecting the QKD node and the QKMC (or other QKD nodes) (quantum keys pre-distributed or negotiated in real-time through a QKD network); the quantum key is deleted after being used once.
(3) Session key (hereinafter R): the session key between the mobile terminals is manufactured based on a true random number (including but not limited to a random number generated by a physical noise source such as a quantum random number generator) generated by a QKMC or a QKMC sub-center, and is encrypted by using a sub-key of a quantum basic key and then sent to the mobile terminals; the key is deleted after being used once and then negotiated after being used.
(4) Master key (denoted as MK below): the master key for the mobile terminal is a key for device authentication that is generated by the QKD node or QKMC and injected into the mobile terminal.
(5) Identity authentication key (AK below): the authentication key of the mobile terminal is a key generated by the QKD node or QKMC and injected into the mobile terminal for authenticating the identity of the user.
The basic principle of the method of the invention is as follows:
the QKD node provides quantum basic key injection service for the mobile terminal, and quantum keys are negotiated between the QKD node and the QKMC through a QKD network; the QKMC distributes session keys between two or more mobile terminals based on quantum basis keys of the mobile terminals and quantum keys between the QKMC and the QKD nodes.
The method of the present invention comprises a registration process (as shown in fig. 1) and an online session key negotiation process (as shown in fig. 2), and specifically comprises the following steps (the communication flow is shown in fig. 3). (the following is set forth for communication between two mobile terminals):
and (3) registration process:
step one, a mobile terminal applies for network access to a QKD node in a near-field manner to obtain a unique quantum identity number, a master key and an identity authentication key (as shown in a flow 1 in figure 1);
step two, the mobile terminal applies for quantum basic keys to the QKD node (a user applies for injection amount according to communication requirements of voice, video, data and the like in a certain time period, for example, the main service of a certain user is encrypted voice communication, and if the encrypted voice communication time in one month is about 10 hours, 300Mb is injected once to basically meet the requirements in one month, the voice coding rate of 8Kb/s is adopted, the voice coding data is encrypted in a one-time pad mode, and a random key of 288Mb is needed in 10 hours) (as a flow 2 in FIG. 1);
step three, the QKD node encrypts the collected registration information (including but not limited to the service binding relationship list and the identity authentication key) of the mobile terminal by using the shared quantum key between the QKD node and the QKMC (or QKMC sub-center) and sends the encrypted information to the QKMC (or QKMC sub-center) (as shown in the flow 3 in fig. 1); if there is no shared quantum key between the QKD node and the QKMC (or QKMC hub), the shared quantum key needs to be negotiated first.
And (3) online session key negotiation process:
step one, as shown in fig. 2, when the mobile terminal U and the mobile terminal V need to communicate, the initiator U requests a session key for communicating with V from the QKMC (or QKMC sub-center) (flow 1 in fig. 2); the QKMC (or QKMC sub-center) firstly performs identity authentication on U, and searches a corresponding service binding relationship list and a QKD node bound by the service binding relationship list according to the quantum identity numbers of U and V after authentication (a flow 2 in fig. 2, supposing that QKD _ A and QKD _ B are adopted, U applies a quantum basic key QBKu to QKD _ A and is divided into a plurality of sub-keys QBK _ i, i is 0,1,2, …, V applies a quantum basic key Kv to QKD _ B and is divided into a plurality of sub-keys QBK _ j, j is 0,1,2, …); the QKMC (or QKMC sub-center) sends service instructions to QKD _ A and QKD _ B, respectively; the QKD _ A encrypts QBKu _ i by using a quantum key QK _ A shared with the QKMC (or QKMC hub) and sends QBKUi to the QKMC (or QKMC hub, and a flow 3 in the figure 2); the QKD _ B encrypts QBKv _ j using a quantum key QK _ B shared with the QKMC (or QKMC hub) and sends it to the QKMC (or QKMC hub, flow 3 in fig. 2); QKMC (or QKMC sub-center) decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates a session key R, and transmits the session key R
Figure BDA0001575291750000091
And
Figure BDA0001575291750000092
(
Figure BDA0001575291750000093
is an exclusive or operation) to U and V (flow 4 in fig. 2), which decrypt R and use R as the session key for the communication (flow 5 in fig. 2).
Step two, U, V, QKMC (or QKMC decentralized), QKD _ a and QKD _ B delete used key data and update the service bindings list, respectively, and each node updates node state information (including but not limited to link state with neighboring nodes, shared key margins).
For the case of group communication of n (n >2) users (e.g., U1, U2, …, Un shown in fig. 4), assuming that the initiator U1 requests a group session key for communication with U2, …, Un from the QKMC, the QKMC looks up the corresponding service binding relationship list and m QKD nodes bound thereto (assuming QKD _ a1, …, QKD _ Am) according to the quantum identity numbers of U1, U2, …, Un, respectively; the QKMC sends service instructions to QKD _ A1, … and QKD _ Am respectively; the QKD _ A1, … and QKD _ Am respectively adopt quantum keys shared with the QKMC to encrypt sub-keys of quantum basic keys of the bound application terminals and send the sub-keys to the QKMC; the QKMC respectively decrypts and obtains the sub-keys of U1, U2, … and Un; then generating a session key R, encrypting R by using subkeys of U1, U2, … and Un respectively, and sending the R to U1, U2, … and Un respectively; u1, U2, … and Un are decrypted to obtain R, and R is used as the group session key of the communication.
Aiming at different connection relationships between the QKD nodes and the QKMC in the method of the present invention, the present invention also designs several typical application extension methods (as shown in fig. 5, it should be noted that the application extension methods of the method of the present invention include, but are not limited to, the following methods).
Basic strategy of application extension:
all session key agreements between calling and called mobile terminals in the present invention are prepared and distributed by the QKMC, the QKMC sub-center to which the calling or called mobile terminals are bound. Therefore, the quantum key relay link involved in the session key agreement procedure contains at least one of the QKMC, the QKMC split center bound by the calling mobile terminal or the QKMC split center bound by the called mobile terminal. Under this premise, the following strategies are specifically included but not limited:
(1) strategy A
(a-1) for the case where the QKD nodes bound by the calling and called mobile terminals both directly bind the QKMC, the QKMC directly provides services;
(A-2) for the case where the QKD nodes to which the calling and called mobile terminals are bound belong to one QKMC sub-center, the QKMC sub-center is directly designated to provide services.
For the case that the QKD nodes (e.g., QKD _ a and QKD _ B) bound by the calling and called mobile terminals do not directly bind to the QKMC at the same time and do not belong to the same QKMC sub-center, the following strategies are adopted:
(2) policy B (valid shortest path at least through QKMC, one QKMC sub-center to which the calling or called mobile terminals are bound):
(B-1) the service is provided by the QKMC with the effective shortest link (i.e., the shortest link actually available) between the QKD nodes bound by the calling and called mobile terminals passing through the QKMC but not through the QKMC sub-center bound by the calling and called mobile terminals;
(B-2) in case that the effective shortest link between the QKD nodes bound by the calling and called mobile terminals passes through only one bound QKMC sub-center (but not through QKMC), directly served by the QKMC sub-center;
(B-3) in case that the effective shortest link between the QKD nodes bound by the calling and called mobile terminals passes through the QKMC hubs bound by the calling and called mobile terminals at the same time (but not through the QKMC), the QKMC preferentially designates the service to be provided with the QKMC hub to which the calling mobile terminal belongs;
(B-4) in case that the effective shortest link between the QKD nodes bound by the calling and called mobile terminals passes through the QKMC and the QKMC sub-center bound by the calling mobile terminal but does not pass through the QKMC sub-center bound by the called mobile terminal, the service is provided by the QKMC sub-center bound by the calling mobile terminal;
(B-5) the service is provided by the QKMC sub-center to which the called mobile terminal is bound, in case that the effective shortest link between the QKD nodes to which the calling and called mobile terminals are bound passes through the QKMC sub-center to which the QKMC and the called mobile terminal are bound but does not pass through the QKMC sub-center to which the calling mobile terminal is bound;
(B-6) the service is provided by the QKMC sub-center to which the calling mobile terminal is bound, in case that the effective shortest link between the QKD nodes to which the calling and called mobile terminals are bound passes through the QKMC, the QKMC sub-center to which the calling and called mobile terminals are bound.
(3) Policy C (the shortest path is not through QKMC nor through QKMC sub-center to which the calling and called mobile terminals are bound)
QKMC operates as follows:
(a) calculating the shortest path 1 between the QKMC branch center to which the QKD _ A, QKD _ A belongs and the QKD _ B;
(b) calculating the shortest path 2 between the QKMC branch center to which the QKD _ A, QKD _ B belongs and the QKD _ B;
(c) comparing the shortest path 1 with the shortest path 2, and if the shortest path 1 is optimal, then specifying the QKMC sub-center to which the QKD _ A belongs to provide the service; otherwise, the QKD _ B is assigned to the QKMC sub-center to which the sub-center belongs to provide the service.
According to the above strategy, the following typical application extension methods can be directly obtained:
(1) policy (A-1) embodiment (e.g., in FIG. 5, assuming U is bound to QKD _ C1, V is bound to QKD _ C2, and QKMC directly provides this service): the QKD _ C1 adopts a quantum key QK _ C1 shared with the QKMC to encrypt QBKu _ i and sends the QKD _ i to the QKMC; the QKD _ C2 adopts a quantum key QK _ C2 shared with the QKMC to encrypt QBKv _ j and sends the QKMC; QKMC decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates a session key R, and sends the session key R
Figure BDA0001575291750000121
And
Figure BDA0001575291750000122
(
Figure BDA0001575291750000123
is exclusive or operation) to U and V, which decrypt to obtain R and use R as the session key of the communication (R is used to encrypt plaintext P, and the protocol flow is shown in fig. 6).
(2) Policy (a-2) embodiment (for example, in fig. 5, assuming that U is bound to QKD _ B1, V is bound to QKD _ B2, and the effective shortest link between QKD _ B1 and QKD _ B2 is via QKMC2, which specifies that QKMC2 provides this service, the communication flow is as shown in fig. 7): the QKD _ B1 encrypts QBKu _ i with a quantum key QK _ B1 shared with QKMC2 and sends QKMC 2; QKD _ B2 encrypts QBKv _ j with quantum key QK _ B2 shared with QKMC2 and sends QKMC 2; QKMC2 decrypts to obtain QBKu _ i and QBKv _ j, generates session key R, and sends R ^ QBKu _ i and R ^ QBKv _ j to U and V, respectively, and U and V decrypt to obtain R and use R as the session key of the communication.
(3) Policy (B-1) embodiment (for example, in FIG. 5, assuming that U is bound to QKD _ D2, V is bound to QKD _ E1, and the effective shortest link between QKD _ D2 and QKD _ E1 is through QKMC, which provides the service, the communication flow is shown in FIG. 8): QKD _ D2 relays QBKu _ i encryption to QKMC via QKD _ D1; the QKD _ E1 adopts a quantum key QK _ E1 shared with the QKMC to encrypt QBKv _ j and sends the QKMC; QKMC decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates a session key R, and sends the session key R
Figure BDA0001575291750000131
And
Figure BDA0001575291750000132
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.
(4) Policy (B-2) embodiment (for example, in fig. 5, assuming that U is bound to QKD _ a4, V is bound to QKD _ B2, and the effective shortest link between QKD _ a4 and QKD _ B2 is via QKMC2, which specifies that QKMC2 provides this service, the communication flow is as shown in fig. 9): QKD _ a4 relays QBKu _ i encryption to QKMC2 via QKD _ B1; QKD _ B2 encrypts QBKv _ j with quantum key QK _ B2 shared with QKMC2 and sends QKMC 2; QKMC2 decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates session key R, and sends the key R to the user
Figure BDA0001575291750000141
And
Figure BDA0001575291750000142
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.
(5) Policy (B-3) embodiment (e.g., in FIG. 5, assuming that calling U is bound to QKD _ A1 and V is bound to QKD _ B2, QKMC specifies that QKMC1 provides this service, as shown in FIG. 10): QKD _ B2 relays QBKv _ j to QKMC1 through QKMC2, QKD _ A encryption; the QKD _ A1 adopts a quantum key QK _ A1 shared with the QKMC1 to encrypt QBKu _ i and send the QBKKu _ i to the QKMC 1; QKMC1 decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates session key R, and sends the key R to the user
Figure BDA0001575291750000143
And
Figure BDA0001575291750000144
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.
(6) Policy (B-4) embodiment (e.g., in FIG. 5, assuming that calling U is bound to QKD _ A1 and V is bound to QKD _ D1, QKMC specifies that QKMC1 provides this service, as shown in FIG. 11): QKD _ D1 relays QBKv _ j encryption to QKMC1 via QKMC; the QKD _ A1 adopts a quantum key QK _ A1 shared with the QKMC1 to encrypt QBKu _ i and send the QBKKu _ i to the QKMC 1; QKMC1 decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates session key R, and sends the key R to the user
Figure BDA0001575291750000145
And
Figure BDA0001575291750000146
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.
(7) Policy (B-5) embodiment (e.g., in fig. 5, assuming that calling U is bound to QKD _ D1 and V is bound to QKD _ a1, QKMC specifies that QKMC1 provides this service, as shown in fig. 12): QKD _ D1 relays QBKu _ j encryption to QKMC1 via QKMC; the QKD _ A1 adopts a quantum key QK _ A1 shared with the QKMC1 to encrypt QBKv _ i and send the QBKV _ i to the QKMC 1; QKMC1 decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates session key R, and sends the key R to the user
Figure BDA0001575291750000151
And
Figure BDA0001575291750000152
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.
(8) Policy (B-6) embodiment (e.g., in FIG. 5, assuming that calling U is bound to QKD _ A1 and V is bound to QKD _ E3, QKMC specifies that QKMC1 provides this service, as shown in FIG. 13): QKD _ E3 cryptographically relays QBKv _ j to QKMC1 via QKMC4, QKD _ E1 and QKMC; the QKD _ A1 adopts a quantum key QK _ A1 shared with the QKMC1 to encrypt QBKu _ i and send the QBKKu _ i to the QKMC 1; QKMC1 decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates session key R, and sends the key R to the user
Figure BDA0001575291750000153
And
Figure BDA0001575291750000154
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.
(9) An embodiment of policy (C) (e.g., in fig. 5, assuming U is bound to QKD _ a4 and V is bound to QKD _ B3, the communication flow is as shown in fig. 14): the QKMC first computes the shortest path 1 (8 nodes in total on this link) between the connections QKD _ a4, QKMC1 and QKD _ B3, the shortest path 2 (5 nodes in total on this link) between QKD _ a4, QKMC2 and QKD _ B3, respectively, with the shortest path 2 being optimal, QKMC specifying QKMC2 to provide this service. QKD _ a4 relays QBKu _ i encryption to QKMC2 via QKD _ B1; QKD _ B3 relays QBKv _ i encryption to QKMC2 through QKD _ B2; QKMC2 decrypts and obtains QBKu _ i and QBKv _ j, respectively, then generates session key R, and sends the key R to the user
Figure BDA0001575291750000155
Figure BDA0001575291750000156
And
Figure BDA0001575291750000157
and respectively sending the key to U and V, respectively decrypting the U and V to obtain R, and using the R as a session key of the communication.

Claims (9)

1. A flexible quantum secure mobile communication method, characterized by: the method comprises the following steps:
step one, the mobile terminal registers and accesses the network, and the QKD node applies for obtaining QBK and establishes a service binding relationship list:
(1) the mobile terminal applies for network access to a QKD node nearby to obtain a unique quantum identity number, a master key and an identity authentication key;
(2) the mobile terminal applies QBK to the QKD node;
(3) the QKD node injects QBK the mobile terminal and creates a list of service bindings to the mobile terminal: quantum identity number of the mobile terminal, address of the node with binding relationship QKD and allowance of quantum basic key;
(4) then the QKD node encrypts the collected registration information of the mobile terminal by using a shared quantum key between the QKD node and the QKMC or QKMC sub-center and sends the encrypted registration information to the QKMC or QKMC sub-center;
step two, the mobile terminal applies for a session key from the QKMC or the QKMC sub-center, and the QKMC or the QKMC sub-center searches a QKD node bound by the mobile terminal and sends a service instruction to the QKD node;
step three, the QKD node encrypts an QBK sub-key of the bound mobile terminal by respectively adopting a quantum key shared by the QKMC or the QKMC sub-center and sends the obtained encrypted data to the QKMC or the QKMC sub-center;
step four, the QKMC or the QKMC sub-center decrypts to obtain QBK sub-keys of the mobile terminal bound by the QKD node, generates a session key R, encrypts R by using each sub-key respectively and then transmits the R to the corresponding mobile terminal; each mobile terminal respectively decrypts to obtain R which is used as a session key of the communication;
and step five, deleting the used key data respectively by each QKD node and the mobile terminal bound by the QKD node, the QKMC or the QKMC sub-center, updating the service binding relation list, and updating the node state information by each QKD node.
2. A flexible quantum secure mobile communication method according to claim 1, characterized in that: the QBK is a random number generated using a quantum random number generator that can be split into multiple subkeys.
3. A flexible quantum secure mobile communication method according to claim 1, characterized in that: the QKMC or QKMC sub-center is composed of a QKD node, a quantum network management system and a quantum key management and service system, and the QKMC or QKMC sub-center provides quantum network management, quantum key management and session key distribution to the whole network in a unified manner according to a quantum network management strategy based on the current state of the QKD node and the distribution condition of the QKD node in the network; the quantum network management strategy comprises the following steps:
(a) for a multi-level QKD network with a tree topology structure, a root node of the multi-level QKD network is used as a QKMC, and a key child node is used as a QKMC sub-center; (b) for a QKD network with an irregular topology, the core node of the QKD network is taken as the QKMC, and the core node of the area sub-network is taken as the QKMC sub-center.
4. A flexible quantum secure mobile communication method according to claim 1, characterized in that: the current state metrics of the QKD node include:
(1) an index reflecting the heavy state of the service key generation task currently borne by the node, wherein the index is a quantized index and comprises:
(1-1) a nominal traffic key generation rate of the node;
(1-2) how many groups of secure communication services the node is currently generating a service key;
(1-3) how much traffic key amount is to be generated by the node at present;
(1-4) specifying an actual generation rate and a consumption rate of each set of traffic keys among the traffic keys generated by the node;
(1-5) specifying a generated number and a consumed number of each set of traffic keys among the traffic keys generated by the node;
(2) the index reflecting the current position state of the node in the quantum key distribution network is a quantized index, and the index comprises the following components:
(2-1) how many other nodes possess quantum channels between the node and the other nodes, and a shared secret key can be generated;
(2-2) the number of hops between the node and other nodes;
(3) any combination of one or more of the above 7 status indicators.
5. A flexible quantum secure mobile communication method according to claim 1, characterized in that: the quantum key relay link involved in the session key negotiation process at least comprises one of the QKMC, the QKMC sub-center bound by the calling mobile terminal or the QKMC sub-center bound by the called mobile terminal.
6. A flexible quantum secure mobile communication method according to claim 5, characterized in that: for the case that the QKD nodes bound by the calling and called mobile terminals both directly bind the QKMC, the QKMC directly provides services; in the case that the QKD nodes bound by the calling and called mobile terminals both belong to one QKMC sub-center, the QKMC sub-center is directly designated to provide services.
7. A flexible quantum secure mobile communication method according to claim 5, characterized in that: for the case that the QKD nodes bound by the calling and called mobile terminals do not directly bind to the QKMC at the same time and do not belong to the same QKMC sub-center:
(1) if the effective shortest link between the QKD nodes bound by the calling mobile terminal and the called mobile terminal passes through the QKMC but does not pass through the QKMC sub-center bound by the calling mobile terminal and the called mobile terminal, the QKMC provides the service;
(2) if the effective shortest link between the QKD nodes bound by the calling and called mobile terminals only passes through one bound QKMC sub-center but not passes through the QKMC, the QKMC sub-center directly provides service;
(3) if the effective shortest link between the QKD nodes bound by the calling mobile terminal and the called mobile terminal passes through the QKMC sub-center bound by the calling mobile terminal and the called mobile terminal at the same time but does not pass through the QKMC, the QKMC preferentially appoints the QKMC sub-center to which the calling mobile terminal belongs to provide the service;
(4) if the effective shortest link between the QKD nodes bound by the calling mobile terminal and the called mobile terminal passes through the QKMC sub-center bound by the QKMC and the calling mobile terminal but does not pass through the QKMC sub-center bound by the called mobile terminal, the QKMC sub-center bound by the calling mobile terminal provides the service;
(5) if the effective shortest link between the QKD nodes bound by the calling mobile terminal and the called mobile terminal passes through the QKMC sub-center bound by the QKMC and the called mobile terminal but does not pass through the QKMC sub-center bound by the calling mobile terminal, the QKMC sub-center bound by the called mobile terminal provides the service;
(6) if the effective shortest link between the QKD nodes bound by the calling and called mobile terminals passes through the QKMC and the QKMC sub-center bound by the calling and called mobile terminals, the QKMC sub-center bound by the calling mobile terminal provides the service.
8. A flexible quantum secure mobile communication method according to claim 5, characterized in that: for the QKD nodes bound by the calling and called mobile terminals, the QKMC is not directly bound at the same time, nor belongs to the same QKMC sub-center, and the shortest effective path does not pass through the QKMC nor the QKMC sub-center bound by the calling and called mobile terminals, wherein: the QKD node bound by the calling mobile terminal is QKD _ a, and the QKD node bound by the called mobile terminal is QKD _ B, then the QKMC performs the following operations:
(a) calculating the shortest path 1 between the QKMC branch center to which the QKD _ A, QKD _ A belongs and the QKD _ B;
(b) calculating the shortest path 2 between the QKMC branch center to which the QKD _ A, QKD _ B belongs and the QKD _ B;
(c) comparing the shortest path 1 with the shortest path 2, and if the shortest path 1 is optimal, designating a QKMC sub-center to which the QKD _ A belongs to provide the service; otherwise, the QKD _ B is assigned to the QKMC sub-center to provide the service.
9. A flexible quantum secure mobile communication method according to claim 1, characterized in that: the content of the service instruction comprises: the quantum identity number of the calling or called mobile terminal and the address of the QKD node which has a binding relationship with the mobile terminal.
CN201810132408.2A 2018-02-09 2018-02-09 Flexible quantum secure mobile communication method Active CN108462573B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810132408.2A CN108462573B (en) 2018-02-09 2018-02-09 Flexible quantum secure mobile communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810132408.2A CN108462573B (en) 2018-02-09 2018-02-09 Flexible quantum secure mobile communication method

Publications (2)

Publication Number Publication Date
CN108462573A CN108462573A (en) 2018-08-28
CN108462573B true CN108462573B (en) 2020-10-23

Family

ID=63239907

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810132408.2A Active CN108462573B (en) 2018-02-09 2018-02-09 Flexible quantum secure mobile communication method

Country Status (1)

Country Link
CN (1) CN108462573B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109005034B (en) * 2018-09-19 2020-10-02 北京邮电大学 Multi-tenant quantum key supply method and device
CN110381011A (en) * 2018-12-04 2019-10-25 天津京东深拓机器人科技有限公司 A kind of method and apparatus for realizing logistics equipment secure communication
CN111277549B (en) * 2018-12-05 2022-05-03 杭州希戈科技有限公司 Security service method and system adopting block chain
CN111342952B (en) * 2018-12-18 2022-12-09 杭州希戈科技有限公司 Safe and efficient quantum key service method and system
CN111431703B (en) * 2020-03-02 2022-10-25 哈尔滨工业大学 Hybrid QKD network system based on QKD protocol classification
CN111934871B (en) * 2020-09-23 2020-12-25 南京易科腾信息技术有限公司 Quantum key management service core network, system and quantum key negotiation method
CN112737781B (en) * 2021-03-29 2021-06-18 南京易科腾信息技术有限公司 Quantum key management service method, system and storage medium
CN113098872B (en) * 2021-04-02 2021-12-03 山东量子科学技术研究院有限公司 Encryption communication system and method based on quantum network and convergence gateway
CN116527259B (en) * 2023-07-03 2023-09-19 中电信量子科技有限公司 Cross-domain identity authentication method and system based on quantum key distribution network
CN116684093B (en) * 2023-08-02 2023-10-31 中电信量子科技有限公司 Identity authentication and key exchange method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010064003A1 (en) * 2008-12-05 2010-06-10 Qinetiq Limited Method of establishing a quantum key for use between network nodes
CN102196425A (en) * 2011-07-01 2011-09-21 安徽量子通信技术有限公司 Quantum-key-distribution-network-based mobile encryption system and communication method thereof
CN202121593U (en) * 2011-07-01 2012-01-18 安徽量子通信技术有限公司 Mobile encryption system based on quantum key distribution network
CN104243143A (en) * 2013-06-08 2014-12-24 安徽量子通信技术有限公司 Mobile secret communication method based on quantum key distribution network
CN107453869A (en) * 2017-09-01 2017-12-08 中国电子科技集团公司第三十研究所 A kind of method for the IPSecVPN for realizing quantum safety

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010064003A1 (en) * 2008-12-05 2010-06-10 Qinetiq Limited Method of establishing a quantum key for use between network nodes
CN102196425A (en) * 2011-07-01 2011-09-21 安徽量子通信技术有限公司 Quantum-key-distribution-network-based mobile encryption system and communication method thereof
CN202121593U (en) * 2011-07-01 2012-01-18 安徽量子通信技术有限公司 Mobile encryption system based on quantum key distribution network
CN104243143A (en) * 2013-06-08 2014-12-24 安徽量子通信技术有限公司 Mobile secret communication method based on quantum key distribution network
CN106972922A (en) * 2013-06-08 2017-07-21 科大国盾量子技术股份有限公司 A kind of mobile secret communication method based on quantum key distribution network
CN107453869A (en) * 2017-09-01 2017-12-08 中国电子科技集团公司第三十研究所 A kind of method for the IPSecVPN for realizing quantum safety

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"多用户量子通信方案及协议研究";刘晓慧;《中国博士学位论文全文数据库信息科技辑》;20131115;第I136-25页 *
"量子通信技术发展现状及面临的问题研究";徐兵杰等;《通信技术》;20140510;第13卷(第4期);第406-414页 *

Also Published As

Publication number Publication date
CN108462573A (en) 2018-08-28

Similar Documents

Publication Publication Date Title
CN108462573B (en) Flexible quantum secure mobile communication method
CN109995513B (en) Low-delay quantum key mobile service method
CN109587132B (en) Data transmission method and device based on alliance chain
CN109995510B (en) Quantum key relay service method
CN109842485B (en) Centralized quantum key service network system
CN103491531B (en) Power system WiMAX wireless communication networks uses the method that quantum key improves power information transmission security
CN110311883A (en) Identity management method, equipment, communication network and storage medium
CN113360925B (en) Method and system for storing and accessing trusted data in power information physical system
CN109995514A (en) A kind of safe and efficient quantum key Information Mobile Service method
CN109995511A (en) A kind of mobile secret communication method based on quantum key distribution network
CN111277404B (en) Method for realizing quantum communication service block chain
CN108540436B (en) Communication system and communication method for realizing information encryption and decryption transmission based on quantum network
CN101420686B (en) Industrial wireless network security communication implementation method based on cipher key
CN108847928B (en) Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card
CN113114460B (en) Quantum encryption-based power distribution network information secure transmission method
WO2023082599A1 (en) Blockchain network security communication method based on quantum key
CN108964897B (en) Identity authentication system and method based on group communication
CN111342952B (en) Safe and efficient quantum key service method and system
CN101170404B (en) Method for secret key configuration based on specified group
CN115632779B (en) Quantum encryption communication method and system based on power distribution network
CN108769986A (en) A kind of GPRS remote transmitting gas meters encryption communication method
CN109995512A (en) A kind of mobile security application method based on quantum key distribution network
CN109842442B (en) Quantum key service method taking airport as regional center
CN114531680B (en) Light-weight IBC bidirectional identity authentication system and method based on quantum key
KR100892616B1 (en) Method For Joining New Device In Wireless Sensor Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant