CN108809632B - Quantum safety sleeving layer device and system - Google Patents

Quantum safety sleeving layer device and system Download PDF

Info

Publication number
CN108809632B
CN108809632B CN201710294804.0A CN201710294804A CN108809632B CN 108809632 B CN108809632 B CN 108809632B CN 201710294804 A CN201710294804 A CN 201710294804A CN 108809632 B CN108809632 B CN 108809632B
Authority
CN
China
Prior art keywords
quantum
data
socket layer
key
secure socket
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710294804.0A
Other languages
Chinese (zh)
Other versions
CN108809632A (en
Inventor
陈洁容
李凯铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quantumctek Guangdong Co ltd
Original Assignee
Quantumctek Guangdong Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Quantumctek Guangdong Co ltd filed Critical Quantumctek Guangdong Co ltd
Priority to CN201710294804.0A priority Critical patent/CN108809632B/en
Publication of CN108809632A publication Critical patent/CN108809632A/en
Application granted granted Critical
Publication of CN108809632B publication Critical patent/CN108809632B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The embodiment of the invention provides a quantum secure socket layer device and a system, wherein a quantum secure socket layer terminal provides a server interface for data interaction with a quantum secure server, and the server interface can realize encryption and decryption of data interacted between the quantum secure socket layer terminal and the quantum secure server by adopting a symmetric quantum key; the quantum security server provides a terminal interface for data interaction with the quantum security socket layer terminal, and the terminal interface can realize encryption and decryption of data interacted between the quantum security socket layer terminal and the quantum security server by adopting a symmetric quantum key. And furthermore, a secure socket layer based on quantum key encryption is realized, data transmitted by adopting quantum key encryption internet is provided, and the security of data transmission is improved.

Description

Quantum safety sleeving layer device and system
Technical Field
The invention relates to the technical field of communication, in particular to a quantum secure socket layer device and a quantum secure socket layer system.
Background
With the development of internet technology and communication technology, network transmission of data can be realized through the internet, and the timeliness of service response is improved. In order to avoid interception or tampering of data by illegal terminal equipment when the data is transmitted in the internet, the transmitted data needs to be encrypted and transmitted.
At present, a Secure transmission Network of data may be constructed by using SSL VPN (Secure Sockets Layer, Virtual Private Network, Secure socket Layer Virtual Private Network) technology. However, the SSL VPN technology encrypts data transmitted through the internet based on an asymmetric encryption algorithm, and as the computing power of a computer increases, the asymmetric encryption algorithm can be broken, so that the security of data transmission in the internet is low.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a quantum secure socket layer device and system, so that data transmitted by the internet can be encrypted by adopting a quantum key, and secure transmission of the data is realized.
Therefore, the technical scheme for solving the technical problem is as follows:
a quantum secure socket layer terminal, the quantum secure socket layer terminal comprising:
the receiver is used for receiving the first identification and the first ciphertext sent by the quantum security server;
the server interface is used for obtaining a first quantum key according to the first identifier and decrypting the first ciphertext by using the first quantum key to obtain first data and a second identifier; obtaining a second quantum key by adopting the second identifier, and encrypting second data by utilizing the second quantum key to obtain a second ciphertext, wherein the second data is the data sent to the quantum security server;
a processor for processing the first data;
a transmitter for transmitting the second ciphertext to the quantum security server.
In one example, the quantum secure socket layer terminal further includes:
and the quantum key storage device is used for storing a plurality of quantum keys and the identification corresponding to each quantum key.
In one example of the above-mentioned method,
the quantum key storage device is further configured to delete a quantum key that has been used once as a key for encrypting or decrypting interactive data and an identifier corresponding to the quantum key, where the interactive data is data interacted between the quantum secure socket layer terminal and the quantum secure server.
In one example of the above-mentioned method,
the quantum key storage device is configured to receive quantum data sent by a first quantum device, process the quantum data according to a preset processing logic, and obtain a plurality of new quantum keys and an identifier corresponding to each new quantum key, where the quantum keys in the first quantum device and a second quantum device are symmetric quantum keys, and the second quantum device is connected to the quantum security server.
In one example, the quantum secure socket layer terminal further includes:
the alarm device is used for acquiring alarm information corresponding to a preset alarm condition when the preset alarm condition is met, wherein the preset alarm condition comprises that a quantum key is abandoned, a bill is wrong, or the bill is overdue;
the sender is further used for sending the alarm information to the quantum security server.
A quantum security server, the quantum security server comprising:
the terminal interface is used for acquiring a first identifier and a second identifier, encrypting first data and the second identifier by adopting a first quantum key corresponding to the first identifier to acquire a first ciphertext, wherein the first data is data sent to a quantum secure socket layer terminal; decrypting a second ciphertext sent by the quantum secure socket layer terminal by using a second quantum key corresponding to the second identifier to obtain second data;
a processor for processing the second data;
the first transmitter is used for transmitting the first identifier and the first ciphertext to the quantum secure socket layer terminal;
and the first receiver is used for receiving the second ciphertext sent by the quantum secure socket layer terminal.
In one example, the quantum security server further comprises:
and the quantum key storage device is used for storing a plurality of quantum keys and the identification corresponding to each quantum key.
In one example of the above-mentioned method,
the quantum key storage device is further configured to delete a quantum key that has been used once as a key for encrypting or decrypting interactive data and an identifier corresponding to the quantum key, where the interactive data is data interacted between the quantum secure socket layer terminal and the quantum secure server.
In one example, the quantum security server further comprises:
the second receiver is used for receiving quantum data sent by a second quantum device, the second quantum device and a quantum key in the first quantum device are symmetric quantum keys, and the first quantum device provides the quantum data for the quantum secure socket layer terminal;
the quantum device interface is used for calling a preset processing logic which is adaptive to both the device identifier and the communication protocol version, processing the quantum data by using the preset processing logic to obtain a plurality of new quantum keys and an identifier corresponding to each new quantum key, and sending the obtained plurality of new quantum keys and the identifier corresponding to each new quantum key to the quantum key storage device for updating;
a second transmitter for transmitting response information to the second quantum device.
In one example, the quantum security server further comprises:
the alarm device is used for acquiring alarm information corresponding to a preset alarm condition when the preset alarm condition is met, wherein the preset alarm condition comprises bill error or bill expiration;
the first transmitter is further configured to send the alarm information to the quantum secure socket layer terminal.
A quantum secure socket layer system, the quantum secure socket layer system comprising:
the quantum security socket layer terminal and the quantum security server are provided.
According to the technical scheme, the invention has the following beneficial effects:
the embodiment of the invention provides a quantum secure socket layer device and a system, wherein a quantum secure socket layer terminal provides a server interface for data interaction with a quantum secure server, and the server interface can realize encryption and decryption of data interacted between the quantum secure socket layer terminal and the quantum secure server by adopting a symmetric quantum key; the quantum security server provides a terminal interface for data interaction with the quantum security socket layer terminal, and the terminal interface can realize encryption and decryption of data interacted between the quantum security socket layer terminal and the quantum security server by adopting a symmetric quantum key. And furthermore, a secure socket layer based on quantum key encryption is realized, data transmitted by adopting quantum key encryption internet is provided, and the security of data transmission is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic view of an application scenario structure of a quantum secure socket layer apparatus and system provided in the present invention;
fig. 2 is a schematic structural diagram of an example of a quantum secure socket layer terminal according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of another example of a quantum secure socket layer terminal according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another example of a quantum secure socket layer terminal according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another example of a quantum secure socket layer terminal according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an example of a quantum security server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another example of a quantum security server according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another example of a quantum security server according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a quantum secure socket layer system according to an embodiment of the present invention.
Detailed Description
In order to provide an implementation scheme of data secure transmission in the internet, the embodiments of the present invention provide a quantum secure socket layer apparatus and system, and the following description is made in conjunction with the accompanying drawings, and it should be understood that the preferred embodiments described herein are only for illustrating and explaining the present invention, and are not intended to limit the present invention. And the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In the prior art, when data encryption transmission in the internet is realized based on the SSL VPN technology, an asymmetric encryption algorithm is adopted. Asymmetric encryption algorithms require two keys, a public key and a private key. The first device generates a public key and a private key, and informs the second device of the public key. And when the second equipment sends data to the first equipment, the data is encrypted by adopting the public key to obtain a ciphertext. And after receiving the ciphertext, the first device decrypts the ciphertext by using the private key so as to obtain the data sent by the second device. When the first device generates the public key and the private key, the public key and the private key are generated by adopting a large number decomposition algorithm, an elliptic cipher algorithm or other technologies. As the computing power of computers increases, the public and private keys can be cracked, resulting in low security of data transmission.
The quantum secure socket layer device and the quantum secure socket layer system provided by the embodiment of the invention can realize that data transmitted by the internet is encrypted by adopting a quantum key. The quantum key is based on quantum mechanics, the security is based on the physical characteristics of the inaccurate measurement principle, quantum unclonable, quantum coherence and the like, and the quantum key is proved to be unconditionally secure. Therefore, after the data are encrypted by adopting the quantum key, the data are transmitted in the Internet, and the safety of data transmission is improved.
The application scenarios of the quantum secure socket layer device and system provided by the present invention are summarized below with reference to the accompanying drawings.
As shown in fig. 1, the quantum secure socket layer terminal establishes communication with the user terminal, and the quantum secure socket layer terminal and the user terminal may be integrated into the same physical entity or different physical entities. When the quantum secure socket layer terminal and the user terminal are different physical entities, the quantum secure socket layer terminal and the user terminal are in the same private network, and data interaction between the quantum secure socket layer terminal and the user terminal does not need encryption.
The quantum secure socket layer terminal can provide an interface interacting with the quantum secure server for different user terminals, and the interface can realize encryption and decryption of data between the quantum secure socket layer terminal and the quantum secure server by adopting a quantum key. For example: the user terminal can be an e-commerce user terminal, an internet banking user terminal, an e-mail user terminal and the like. That is to say, the quantum secure socket layer terminal receives the data sent by the user terminal, encrypts the data by using the quantum key, and sends the encrypted data to the quantum secure server.
On one hand, the quantum security server provides an interface interacting with the quantum security socket layer terminal, and the interface can realize encryption and decryption of data between the quantum security socket layer terminal and the quantum security server by adopting a quantum key; on the other hand, the quantum security server can also provide an interface for interacting with the quantum device, and the interface can call a processor capable of processing data sent by the quantum device according to the difference between the identification of the quantum device and the communication protocol version.
Therefore, the quantum secure socket layer system composed of the quantum secure socket layer terminal and the quantum secure server can support different types of user terminals and also can support different types of quantum devices (different manufacturers or different versions of communication protocols, etc.), so that the data transmitted in the internet is encrypted and transmitted by adopting a quantum key, and the security of data transmission in the internet is improved.
The quantum device may be a quantum key management device or a quantum key distribution device.
The following describes the device and system of the secure socket layer in detail with reference to the accompanying drawings.
Fig. 2 is a schematic view of a terminal structure of a quantum secure socket layer according to an embodiment of the present invention, which includes:
and the receiver 201 is configured to receive the first identifier and the first ciphertext sent by the quantum security server.
The server interface 202 is configured to obtain a first quantum key according to the first identifier, and decrypt the first ciphertext by using the first quantum key to obtain first data and a second identifier; and acquiring a second quantum key by adopting the second identifier, and encrypting second data by utilizing the second quantum key to acquire a second ciphertext, wherein the second data is the data sent to the quantum security server.
And a processor 203 for processing the first data.
And the transmitter 204 is used for transmitting the second ciphertext to the quantum security server.
The quantum secure socket layer terminal is connected with a user terminal, the quantum secure socket layer terminal and the user terminal can be integrated into a physical entity, when the quantum secure socket layer terminal and the user terminal are different physical entities respectively, the quantum secure socket layer terminal and the user terminal are located in the same private network, when the user terminal sends data to the quantum secure socket layer terminal, encryption is not needed, and the data transmitted by the quantum secure socket layer terminal and the user terminal cannot be leaked.
In practical application, the user terminal may be a plurality of types of user terminals, and may be any user terminal in the internet that needs to transmit encrypted data, that is, the quantum secure socket layer terminal may support a plurality of different types of user terminals. For example: the user terminal may be a user terminal in an e-commerce application, may be a user terminal in an internet banking application, may be a user terminal in an e-mail application, and the like. Of course, the user terminal may also be other types of user terminals, and the description is omitted here.
The quantum secure socket layer terminal may support a variety of network communication protocols, such as: TCP/IP Protocol (Transmission Control Protocol/Internet Protocol ), FTP Protocol (File Transfer Protocol), HTTP Protocol (Hypertext Transfer Protocol), and the like. Therefore, the quantum secure socket layer terminal can receive data sent by the user terminal adopting different network communication protocols.
And the receiver 201 of the quantum security socket layer terminal is configured to receive the first identifier and the first ciphertext sent by the quantum security server. The first identification is used for uniquely identifying the first quantum key, and the first ciphertext is obtained by encrypting the first data by adopting the first quantum key.
The server interface 202 of the quantum secure socket layer terminal can obtain a first quantum key corresponding to the first identifier according to the first identifier, and decrypt the first ciphertext by using the first quantum key to obtain the first data and the second identifier. The first data is data sent to the quantum secure socket layer terminal by the quantum secure server.
It can be understood that the quantum secure socket layer terminal stores the corresponding relationship between the identifier and the quantum key, and the quantum secure server also stores the corresponding relationship between the identifier and the quantum key. In the quantum security socket layer terminal and the quantum security server, the quantum key corresponding to the same identifier is a symmetric quantum key, and the ciphertext obtained by encrypting the quantum key corresponding to one identifier can be decrypted by using the quantum key corresponding to the identifier.
The second identification is used for identifying a second quantum key adopted when the quantum security socket layer terminal sends data to the quantum security server. Generally, when the quantum secure socket layer terminal sends data to the quantum secure server, a quantum key used for encrypting the data is determined by the quantum secure server, and after a ciphertext sent by the quantum secure server is decrypted, a second identifier for identifying the quantum key can be obtained.
And the server interface 202 of the quantum secure socket layer terminal obtains a second quantum key corresponding to the second identifier according to the second identifier, and encrypts second data by using the second quantum key to obtain a second ciphertext. And the second data is data to be sent to the quantum security server by the quantum security socket layer terminal. And the second data is data sent by the user terminal to the quantum secure socket layer terminal. It can be understood that the second data may be data obtained by processing the first data by the user terminal, or may be other data sent by the user terminal to the quantum secure socket layer terminal.
On one hand, the server interface 202 of the quantum security socket layer terminal can decrypt a first ciphertext sent by the quantum security server by using a first quantum key to obtain first data sent by the quantum security server to the user terminal, and is an interface providing a decryption function for data interaction between the quantum security server and the user terminal; on the other hand, the second data sent by the user terminal can be encrypted by adopting a second quantum key to obtain a second ciphertext sent by the quantum security server, and the interface is used for providing an encryption function for data interaction between the quantum security server and the user terminal. Therefore, the user terminal can directly process the first data without decrypting the first ciphertext sent by the quantum security server and setting a decryption function; the user terminal only needs to send the second data to be sent to the quantum security server to the quantum security socket layer terminal, and the second data does not need to be encrypted and does not need to be provided with an encryption function.
And the processor 203 in the quantum secure socket layer terminal is used for processing the first data. The quantum secure socket layer terminal and the user terminal are integrated in the same physical entity, and the processor 203 may process the first data to generate the second data. For example, when the first data is authentication information, the processor 203 may perform an authentication operation according to the first data. When the quantum secure socket layer terminal and the user terminal are respectively in different physical entities, the processor 203 processes the first data, and then sends the first data to the user terminal. And the user terminal processes the first data to obtain second data.
And the sender 204 in the quantum secure socket layer terminal sends a second ciphertext obtained by encrypting the second data by using the second quantum key to the quantum secure server.
In one example, the quantum secure socket layer terminal as shown in fig. 3 further includes:
quantum key storage device 301 is configured to store a plurality of quantum keys and an identifier corresponding to each quantum key.
The quantum key storage device 301 in the quantum secure socket layer terminal stores a plurality of quantum keys and the identifiers corresponding to the quantum keys. The identification corresponding to one quantum key can uniquely identify the quantum key. In the quantum key storage device 301 of the quantum secure socket layer terminal, a quantum key corresponding to one identifier is a paired quantum key in a quantum key set corresponding to the quantum secure socket layer terminal in the quantum secure server. The quantum key storage device 301 is connected to the server interface 202, and the server interface 202 searches the quantum key corresponding to the identifier from the quantum key storage device 301 according to the identifier.
In order to further improve the security of data transmission, after the quantum key in the quantum key storage device 301, which is used as a key for encrypting or decrypting data interacting between the quantum secure socket layer terminal and the quantum secure server, is used once, the quantum key storage device 301 deletes the quantum key and the identifier corresponding to the quantum key. Therefore, the quantum key in the quantum key storage device 301, which is used as an encryption or decryption key for data interacting between the quantum secure socket layer terminal and the quantum secure server, can be used only once, so that replay attack can be avoided, and the security of data transmission in the internet can be further improved.
The quantum key storage device 301 shown in fig. 3 is the quantum key storage device 301 integrated in the quantum secure socket layer terminal. In practical application, the quantum key storage device 301 may also be an external physical entity of the quantum secure socket layer terminal, as shown in fig. 4, the quantum key storage device 301 is an external physical entity that can be separated from the quantum secure socket layer terminal, for example, in the form of a UKey, and is detachably connected to the quantum secure socket layer terminal through a USB interface. Of course, the quantum key storage device 301 may also adopt other possible implementation manners, which are not described in detail herein.
When the quantum key stored in the quantum key storage device 301 satisfies the quantum key update condition, the quantum key in the quantum key storage device 301 needs to be updated. The quantum key updating condition has a plurality of possible implementation forms: the first possible implementation form is that the encryption or decryption key of the data interacted between the quantum secure socket layer terminal and the quantum secure server is used once; a second possible implementation form, which is used as an encryption or decryption key for data interacted between the quantum secure socket layer terminal and the quantum secure server, when the usage number or usage times is greater than a preset threshold value; in a third possible implementation form, a preset update time is reached, where the preset update time refers to a time interval for updating the quantum key in the quantum key storage device 301.
Of course, the quantum key updating condition is not limited to the above three possible implementation forms, and may be set according to actual needs.
At this time, as shown in fig. 5, the quantum key storage device 301 requests quantum data from a first quantum device in communication therewith, the first quantum device transmits the quantum data to the quantum key storage device 301, and the quantum key storage device 301 generates a plurality of new quantum keys and an identifier corresponding to each new quantum key using the quantum data. At the same time, the quantum security server requests quantum data from a second quantum device in communication with the quantum security server, the second quantum device sends the quantum data to the quantum security server, and the quantum security server generates a plurality of new quantum keys and an identifier corresponding to each new quantum key using the quantum data. Wherein the first quantum device and the second quantum device have symmetric quantum data.
When the first quantum device and the second quantum device are both quantum key distribution devices, the first quantum device and the second quantum device generate symmetric quantum data by using a quantum key distribution technology. When the first quantum device and the second quantum device are both quantum key management devices, the quantum key distribution device accessed by the first quantum device and the quantum key distribution device accessed by the second quantum device generate symmetric quantum data by adopting a quantum key distribution technology, the first quantum device receives the quantum data sent by the quantum key distribution device accessed by the first quantum device, and the second quantum device also receives the quantum data sent by the quantum key distribution device accessed by the second quantum device.
After the quantum key storage device 301 obtains the quantum key, it processes the quantum data by using a preset processing logic negotiated in advance with the quantum security server, and obtains a plurality of new quantum keys and an identifier corresponding to each new quantum key. The quantum security server also processes the quantum data obtained by the quantum security server by adopting the same preset processing logic. Therefore, the quantum key storage device 301 of the quantum secure socket layer terminal and the quantum secure server update their respective quantum keys at the same time to obtain new symmetric quantum keys, and the quantum keys corresponding to the same identifier are a pair of symmetric quantum keys. The preset processing logic specifies the length of the quantum key, the algorithm for generating the quantum key and the like.
In practical application, the quantum secure socket layer terminal can also directly communicate with the first quantum device, and the first quantum device directly provides a quantum key for the quantum secure socket layer terminal.
In the example shown in fig. 3, the quantum key storage device 301 is a quantum key storage device 301 integrated in a quantum secure socket layer terminal, and when the quantum key storage device 301 requests quantum data from a first quantum device in communication with the quantum key storage device 301, the quantum key storage device 301 requests quantum data from the first quantum device through the quantum secure socket layer terminal, that is, the quantum secure socket layer terminal communicates with the first quantum device.
In the example shown in fig. 4, when the quantum key storage device 301 is an external physical entity that can be separated from the quantum secure socket layer terminal, the quantum key storage device 301 may request quantum data from the first quantum device through the quantum secure socket layer terminal, or may request quantum data from the first quantum device through another terminal device. As long as the terminal device to which the quantum key storage device 301 is connected is ensured to communicate with the first quantum device.
In one example, the quantum secure socket layer terminal further includes:
the alarm device is used for acquiring alarm information corresponding to a preset alarm condition when the preset alarm condition is met, wherein the preset alarm condition comprises that a quantum key is abandoned, a bill is wrong, or the bill is overdue;
the sender is further used for sending the alarm information to the quantum security server.
When the quantum security socket layer terminal and the quantum security server perform communication session, if an error occurs in the session process, the session needs to be immediately interrupted, and the session record of the buffer area needs to be deleted. When the quantum security socket layer terminal finds the session error, the quantum security socket layer terminal needs to send alarm information to the quantum security server before the session is interrupted.
And the alarm of the quantum secure socket layer terminal detects whether the data of the quantum secure socket layer terminal in the session process is wrong or not, and indicates that the current session is wrong when the data in the session process meets a preset alarm condition. In practical application, a preset alarm condition corresponds to an alarm message, and when data in a session process meets the preset alarm condition, the alarm message corresponding to the preset alarm condition is acquired. The sender 204 of the quantum secure socket layer terminal sends the alarm information to the quantum secure server.
In practical application, the preset alarm condition comprises quantum key abandonment, and alarm information corresponding to the quantum key abandonment is a certificate _ rescowered; the preset alarm condition comprises a bill error, and the alarm information corresponding to the bill error is bad _ certificate; the preset alarm condition comprises that the bill is expired, and the alarm information corresponding to the expired bill is certificate _ expired.
Besides, the preset alarm condition in the quantum secure socket layer terminal may further include: receiving an improper message, wherein the corresponding alarm information is unexpected _ message; receiving an incorrect MAC, wherein the corresponding alarm information is bad _ record _ MAC; the decompression function receives improper input, and the corresponding alarm information is decompression _ failure; one field in the handshake message exceeds the range or is incompatible with other fields, and the corresponding alarm information is an illegal _ parameter; and the handshake process fails, and the corresponding alarm information is handshake _ failure. Certainly, the preset alarm condition in the quantum secure socket layer terminal may also include other contents, which are not described in detail herein.
After the quantum security server receives the alarm information sent by the quantum security socket layer terminal, the reason that the quantum security socket layer terminal interrupts the session can be obtained.
Fig. 6 is a schematic structural diagram of a quantum security server according to an embodiment of the present invention, including:
the terminal interface 601 is configured to obtain a first identifier and a second identifier, encrypt first data and the second identifier by using a first quantum key corresponding to the first identifier to obtain a first ciphertext, where the first data is data sent to a quantum secure socket layer terminal; and decrypting a second ciphertext sent by the quantum secure socket layer terminal by adopting a second quantum key corresponding to the second identifier to obtain second data.
A processor 602 for processing the second data.
And a first transmitter 603, configured to send the first identifier and the first ciphertext to the quantum secure socket layer terminal.
And the first receiver 604 is configured to receive a second ciphertext sent by the quantum secure socket layer terminal.
The terminal interface 601 in the quantum security server is an interface for implementing data interaction with the quantum security socket layer terminal. The terminal interface 601 obtains a first identifier and a second identifier, the first identifier is used for uniquely identifying a first quantum key, the first quantum key is used for encrypting first data, and the first data is data sent to a quantum security socket layer terminal by a quantum security server. The second identifier is used for uniquely identifying a second quantum key, and the second quantum key is used for encrypting second data, wherein the second data is the data sent by the quantum security socket layer terminal to the quantum security server.
That is to say, the terminal interface 601 in the quantum security server not only needs to determine the first quantum key used when the terminal itself encrypts the first data, but also needs to determine the second quantum key used when the terminal of the quantum security socket layer encrypts the second data. The terminal interface 601 encrypts the first data and the second identifier by using the first quantum key to obtain a first ciphertext, where the first ciphertext includes not only the first data sent by the quantum security server to the quantum security socket layer terminal, but also a second identifier uniquely identifying the second quantum key used by the quantum security socket layer terminal during encryption.
The first sender 603 in the quantum security server sends the first ciphertext and the first identifier to the quantum security socket layer terminal, and the quantum security socket layer terminal may obtain the first quantum key according to the first identifier, decrypt the first ciphertext according to the first quantum key, and further obtain the first data and the second identifier. The specific implementation manner of this content is similar to that described in the quantum secure socket layer terminal shown in fig. 2, and reference is made to the technical description in the quantum secure socket layer terminal shown in fig. 2, which is not described herein again.
And a first receiver 604 in the quantum security server receives the second ciphertext sent by the quantum security socket layer terminal. The terminal interface 601 in the quantum security server knows that the encryption key used by the second ciphertext sent by the quantum security socket layer terminal is the second quantum key, and decrypts the second ciphertext by using the second quantum key to obtain the second data sent by the quantum security socket layer terminal to the quantum security server. The processor 602 in the quantum security server processes the decrypted second data.
Therefore, the terminal interface 601 in the quantum security server provides both the encryption function for the first data transmitted to the quantum security socket layer terminal and the decryption function for the second ciphertext transmitted by the quantum security socket layer terminal. The interactive data between the quantum security server and the quantum security socket layer terminal is realized, and the quantum key is adopted for encryption, so that the security of the data interaction between the quantum security socket layer terminal and the quantum security server is ensured.
In one example, as shown in fig. 7, the quantum security server further includes:
the quantum key storage device 701 is configured to store a plurality of quantum keys and a corresponding identifier for each quantum key.
The quantum key storage device 701 in the quantum security server stores a plurality of quantum keys and identifications corresponding to the quantum keys. The identification corresponding to one quantum key can uniquely identify the quantum key. In the quantum key storage device 701 in the quantum security server, a quantum key corresponding to one identifier is a paired quantum key corresponding to the same identifier in the quantum security socket layer terminal. The quantum key storage device 701 is connected to the terminal interface 601, and the terminal interface 601 searches the quantum key corresponding to the identifier from the quantum key storage device 701 according to the identifier.
In order to further improve the security of data transmission, after the quantum key in the quantum key storage device 701 in the quantum security server, which is used as the key for encrypting or decrypting the data interacted between the quantum security socket layer terminal and the quantum security server, is used once, the quantum key storage device 701 deletes the quantum key and the identifier corresponding to the quantum key. Therefore, the quantum key in the quantum key storage device 701, which is used as a key for encrypting or decrypting data interacting between the quantum secure socket layer terminal and the quantum secure server, can be used only once, so that replay attack can be avoided, and the security of data transmission in the internet can be further improved.
When the quantum key stored in the quantum key storage device 701 in the quantum security server satisfies the quantum key update condition, the quantum key in the quantum key storage device 701 needs to be updated. The quantum key updating condition has a plurality of possible implementation forms: the first possible implementation form is that the encryption or decryption key of the data interacted between the quantum secure socket layer terminal and the quantum secure server is used once; a second possible implementation form, which is used as an encryption or decryption key for data interacted between the quantum secure socket layer terminal and the quantum secure server, when the usage number or usage times is greater than a preset threshold value; in a third possible implementation form, a preset update time is reached, where the preset update time refers to a time interval for updating a quantum key in the quantum key storage device 701.
Of course, the quantum key updating condition is not limited to the above three possible implementation forms, and may be set according to actual needs.
The quantum security server, on one hand, can provide the terminal interface 601 which realizes data interaction with the quantum security socket layer terminal; on the other hand, a quantum device interface for data interaction with different types of quantum devices may also be provided, as described in detail below.
In one example, as shown in fig. 8, the quantum security server further includes:
and the second receiver 801 is configured to receive quantum data sent by a second quantum device, where the second quantum device is connected to the first quantum device, and the first quantum device provides the quantum data to the quantum secure socket layer terminal.
The quantum device interface 802 is configured to invoke a preset processing logic adapted to both the device identifier and the communication protocol version, process the quantum data by using the preset processing logic, obtain a plurality of new quantum keys and an identifier corresponding to each new quantum key, and send the obtained plurality of new quantum keys and the identifier corresponding to each new quantum key to the quantum key storage device 701 for updating.
A second transmitter 803, configured to transmit response information to the second quantum device.
The quantum device is manufactured by different manufacturers, and the adopted communication protocols are different in version, so that the preset processing logic adopted for the quantum data sent by the quantum device is different. For example, when manufacturers are different, the types of communication protocols used between the quantum security server and the quantum device may be different; under the same communication protocol, the communication protocol versions are different, and the message processing modes of the communication protocol versions may also be different.
Thus, the quantum security server provides a quantum device interface 802 that communicates with the quantum device. The quantum device interface 802 stores a plurality of preset processing logics, each preset processing logic may correspond to a combination of a device identifier and a communication protocol version, or may correspond to a combination of a plurality of device identifiers and communication protocol versions, but a combination of a device identifier and a communication protocol version only uniquely corresponds to a preset processing logic. The quantum device interface 802 can invoke a preset processing logic adapted to both the device identifier and the communication protocol version according to the device identifier in the communication request sent by the quantum device and the communication protocol version.
Thus, the second receiver 801 in the quantum security server receives the quantum data transmitted by the second quantum device. It can be understood that, when the quantum security server updates the quantum key in the quantum key storage device 701, the quantum security server performs data interaction with the second quantum device, and meanwhile, the quantum key storage device 301 of the quantum secure socket layer terminal also needs to update the quantum key, and the quantum key storage device 301 of the quantum secure socket layer terminal performs data interaction with the first quantum device.
When the first quantum device and the second quantum device are both quantum key distribution devices, the first quantum device and the second quantum device generate symmetric quantum data by using a quantum key distribution technology. When the first quantum device and the second quantum device are both quantum key management devices, the quantum key distribution device accessed by the first quantum device and the quantum key distribution device accessed by the second quantum device generate symmetric quantum data by adopting a quantum key distribution technology, the first quantum device receives the quantum data sent by the quantum key distribution device accessed by the first quantum device, and the second quantum device also receives the quantum data sent by the quantum key distribution device accessed by the second quantum device.
The quantum device interface 802 in the quantum security server searches for a preset processing logic corresponding to the device identifier and the communication protocol according to the device identifier and the communication protocol in the communication request, calls the preset processing logic to process quantum data sent by the quantum device, obtains a plurality of new quantum keys and an identifier corresponding to each new quantum key, sends the obtained plurality of new quantum keys and the identifier corresponding to each new quantum key to the quantum key storage device 701, and updates the quantum keys stored in the quantum key storage device 701. . When the quantum key is updated, the preset processing logic adopted in the quantum security server is the same as the preset processing logic adopted in the quantum device. The quantum security server can be suitable for different types of quantum devices and can process quantum data sent by the different types of quantum devices.
After the quantum data processing is completed, the second transmitter 803 in the quantum security server transmits response information to the second quantum device, that is, informs the second quantum device of the result of the quantum data processing.
Therefore, the quantum device interface 802 in the quantum security server can realize data interaction between the quantum security server and the quantum device in the quantum key distribution network. And moreover, access functions of different types of quantum devices are provided, data sent to the different types of quantum devices are realized, and adaptive preset processing logic is called for processing.
In one example, the quantum security server further comprises:
the alarm device is used for acquiring alarm information corresponding to a preset alarm condition when the preset alarm condition is met, wherein the preset alarm condition comprises bill error or bill expiration;
the first transmitter 603 is further configured to send the alarm information to the quantum secure socket layer terminal.
When the quantum security socket layer terminal and the quantum security server perform communication session, if an error occurs in the session process, the session needs to be immediately interrupted, and the session record of the buffer area needs to be deleted. When the quantum security server finds that the session is wrong, the quantum security server needs to send alarm information to the terminal of the quantum security socket layer before the session is interrupted.
The alarm of the quantum security server detects whether the data of the session process of the quantum security server is wrong or not, and when the data of the session process meets a preset alarm condition, the current session is wrong. In practical application, a preset alarm condition corresponds to an alarm message, and when data in a session process meets the preset alarm condition, the alarm message corresponding to the preset alarm condition is acquired. The first transmitter 603 of the quantum security server sends the alarm information to the quantum security socket layer terminal.
In practical application, the preset alarm condition comprises a bill error, and the alarm information corresponding to the bill error is bad _ certificate; the preset alarm condition comprises that the bill is expired, and the alarm information corresponding to the expired bill is certificate _ expired.
Besides, the preset alarm condition in the quantum security server may further include: the decompression function receives improper input, and the corresponding alarm information is decompression _ failure; one field in the handshake message is out of range or incompatible with other fields, and the corresponding alarm information is an illegal _ parameter. Certainly, the preset alarm condition in the quantum security server may also include other contents, which are not described in detail herein.
After the quantum security socket layer terminal receives the alarm information sent by the quantum security server, the reason that the quantum security server interrupts the session can be obtained.
Fig. 9 is a schematic structural diagram of a quantum secure socket layer system according to an embodiment of the present invention, including:
a quantum secure socket layer terminal 901 as described above, and a quantum secure server 902 as described above.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and these improvements and modifications should also be construed as the protection scope of the present invention.

Claims (11)

1. A quantum secure socket layer terminal, comprising:
the receiver is used for receiving the first identification and the first ciphertext sent by the quantum security server;
the server interface is used for obtaining a first quantum key according to the first identifier and decrypting the first ciphertext by using the first quantum key to obtain first data and a second identifier; obtaining a second quantum key by adopting the second identifier, and encrypting second data by utilizing the second quantum key to obtain a second ciphertext, wherein the second data is the data sent to the quantum security server;
a processor for processing the first data;
a transmitter for transmitting the second ciphertext to the quantum security server.
2. The quantum secure socket layer terminal as claimed in claim 1, further comprising:
and the quantum key storage device is used for storing a plurality of quantum keys and the identification corresponding to each quantum key.
3. The quantum secure socket layer terminal of claim 2,
the quantum key storage device is further configured to delete a quantum key that has been used once as a key for encrypting or decrypting interactive data and an identifier corresponding to the quantum key, where the interactive data is data interacted between the quantum secure socket layer terminal and the quantum secure server.
4. The quantum secure socket layer terminal of claim 2,
the quantum key storage device is configured to receive quantum data sent by a first quantum device, process the quantum data according to a preset processing logic, and obtain a plurality of new quantum keys and an identifier corresponding to each new quantum key, where the quantum keys in the first quantum device and a second quantum device are symmetric quantum keys, and the second quantum device is connected to the quantum security server.
5. The quantum secure socket layer terminal according to any of claims 1-4, further comprising:
the alarm device is used for acquiring alarm information corresponding to a preset alarm condition when the preset alarm condition is met, wherein the preset alarm condition comprises quantum key abandonment, bill error or bill expiration;
the sender is further used for sending the alarm information to the quantum security server.
6. A quantum security server, comprising:
the terminal interface is used for acquiring a first identifier and a second identifier, encrypting first data and the second identifier by adopting a first quantum key corresponding to the first identifier to acquire a first ciphertext, wherein the first data is data sent to a quantum secure socket layer terminal; decrypting a second ciphertext sent by the quantum secure socket layer terminal by using a second quantum key corresponding to the second identifier to obtain second data;
a processor for processing the second data;
the first transmitter is used for transmitting the first identifier and the first ciphertext to the quantum secure socket layer terminal;
and the first receiver is used for receiving the second ciphertext sent by the quantum secure socket layer terminal.
7. The quantum security server of claim 6, further comprising:
and the quantum key storage device is used for storing a plurality of quantum keys and the identification corresponding to each quantum key.
8. The quantum security server of claim 7,
the quantum key storage device is further configured to delete a quantum key that has been used once as a key for encrypting or decrypting interactive data and an identifier corresponding to the quantum key, where the interactive data is data interacted between the quantum secure socket layer terminal and the quantum secure server.
9. The quantum security server of claim 7, further comprising:
the second receiver is used for receiving quantum data sent by a second quantum device, the second quantum device and a quantum key in the first quantum device are symmetric quantum keys, and the first quantum device provides the quantum data for the quantum secure socket layer terminal;
the quantum device interface is used for calling a preset processing logic which is adaptive to both the device identifier and the communication protocol version, processing the quantum data by using the preset processing logic to obtain a plurality of new quantum keys and an identifier corresponding to each new quantum key, and sending the obtained plurality of new quantum keys and the identifier corresponding to each new quantum key to the quantum key storage device for updating;
a second transmitter for transmitting response information to the second quantum device.
10. The quantum security server of any one of claims 6-9, further comprising:
the alarm device is used for acquiring alarm information corresponding to a preset alarm condition when the preset alarm condition is met, wherein the preset alarm condition comprises bill error or bill expiration;
the first transmitter is further configured to send the alarm information to the quantum secure socket layer terminal.
11. A quantum secure socket layer system, comprising:
the quantum secure socket layer terminal of any one of claims 1 to 5, the quantum secure server of any one of claims 6 to 10.
CN201710294804.0A 2017-04-28 2017-04-28 Quantum safety sleeving layer device and system Active CN108809632B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710294804.0A CN108809632B (en) 2017-04-28 2017-04-28 Quantum safety sleeving layer device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710294804.0A CN108809632B (en) 2017-04-28 2017-04-28 Quantum safety sleeving layer device and system

Publications (2)

Publication Number Publication Date
CN108809632A CN108809632A (en) 2018-11-13
CN108809632B true CN108809632B (en) 2021-06-15

Family

ID=64069185

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710294804.0A Active CN108809632B (en) 2017-04-28 2017-04-28 Quantum safety sleeving layer device and system

Country Status (1)

Country Link
CN (1) CN108809632B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113922956A (en) * 2021-10-09 2022-01-11 天翼物联科技有限公司 Quantum key based Internet of things data interaction method, system, device and medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103490891B (en) * 2013-08-23 2016-09-07 中国科学技术大学 Key updating and the method for use in a kind of electrical network SSL VPN
CN105515766A (en) * 2015-12-16 2016-04-20 浙江神州量子网络科技有限公司 Application method of quantum key in stunnel
CN108123795B (en) * 2016-11-28 2020-01-10 广东国盾量子科技有限公司 Quantum key chip issuing method, application method, issuing platform and system

Also Published As

Publication number Publication date
CN108809632A (en) 2018-11-13

Similar Documents

Publication Publication Date Title
CN107659406B (en) Resource operation method and device
CN107113319B (en) Method, device and system for responding in virtual network computing authentication and proxy server
EP1748594B1 (en) Method for realizing transmission of syncml synchronous data
CN111756529B (en) Quantum session key distribution method and system
WO2019178942A1 (en) Method and system for performing ssl handshake
CN109936529B (en) Method, device and system for secure communication
CN111756528B (en) Quantum session key distribution method, device and communication architecture
WO2019109852A1 (en) Data transmission method and system
US20220353060A1 (en) Handling of machine-to-machine secure sessions
CN112637109B (en) Data transmission method, system, electronic device and computer readable medium
CN112672342B (en) Data transmission method, device, equipment, system and storage medium
CN110601825A (en) Ciphertext processing method and device, storage medium and electronic device
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
CN113225352A (en) Data transmission method and device, electronic equipment and storage medium
US10630466B1 (en) Apparatus and method for exchanging cryptographic information with reduced overhead and latency
CN104243452A (en) Method and system for cloud computing access control
CN114142995A (en) Key secure distribution method and device for block chain relay communication network
KR20190040443A (en) Apparatus and method for creating secure session of smart meter
CN112187832A (en) Data transmission method and electronic equipment
CN108809632B (en) Quantum safety sleeving layer device and system
WO2023151479A1 (en) Data processing method, and device
CN108932425B (en) Offline identity authentication method, authentication system and authentication equipment
CN108737087B (en) Protection method for mailbox account password and computer readable storage medium
CN112822015B (en) Information transmission method and related device
CN114553957A (en) Service system and method compatible with national password and international HTTPS transmission

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant