CN110086627A - Based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system - Google Patents
Based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system Download PDFInfo
- Publication number
- CN110086627A CN110086627A CN201910325032.1A CN201910325032A CN110086627A CN 110086627 A CN110086627 A CN 110086627A CN 201910325032 A CN201910325032 A CN 201910325032A CN 110086627 A CN110086627 A CN 110086627A
- Authority
- CN
- China
- Prior art keywords
- key
- service station
- encryption
- authentication
- parameters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
- H04L9/0855—Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0872—Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
This application involves based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system.In the application, the key card used is independent hardware isolated equipment.A possibility that public key, private key and other relevant parameters are stored in the data safety area in key card, steal key by Malware or malicious operation substantially reduces, and will not be obtained and be cracked by quantum computer;The application improves the identifying procedure based on symmetric key algorithm simultaneously; so that the data in identifying procedure are protected by asymmetric-key encryption; it can only be decrypted by private key owner by the data of public key encryption; all other men can not decrypt, therefore improve the safety of the identifying procedure based on symmetric key algorithm.
Description
Technical field
This application involves safety communication technology field, more particularly to based on unsymmetrical key pond to and timestamp quantum
Communication service station cryptographic key negotiation method and system.
Background technique
The Internet of rapid development brings huge convenience to people's lives, work, and people can be sitting in family
It sent and received e-mail, made a phone call by Internet, carrying out the activities such as shopping online, bank transfer.The network information security simultaneously
It is increasingly becoming a potential huge problem.In general the network information is faced with following several security risks: the network information
It is stolen, information is tampered, attacker palms off information, malicious sabotage etc..
Wherein authentication is a kind of means of one of protection people's network information.Authentication is also referred to as " identity
Verifying " or " identity identifies, " refer to the process of confirmation operation person's identity in computer and computer network system, so that it is determined that
Whether the user has access and access right to certain resource, and then enables the access strategy of computer and networks system
It reliably and efficiently executes, prevents attacker from palming off the access authority that legitimate user obtains resource, guarantee the peace of system and data
Entirely, and authorization visitor legitimate interests.
And currently ensure that authentication successfully mainly relies on cryptographic technique, and in field of cryptography of today, it is main
Will there are two types of cryptographic system, first is that symmetric key cryptosystem, i.e. encryption key and decruption key use it is same.The other is
Public key cryptosystem, i.e. encryption key and decruption key difference, one of them can be disclosed.Current most identity is recognized
Card relies primarily on public key cryptography system using algorithm.
The encryption key pair (public key) and decryption key (private key) that Public Key Cryptographic Systems uses are different.Due to encryption
Key be it is disclosed, the distribution of key and management are just very simple, and Public Key Cryptographic Systems can also be easily carried out number
Signature.
Since public key encryption comes out, scholars propose many kinds of public key encryption methods, their safety is all base
In complicated difficult math question.Classified according to the difficult math question being based on, have following three classes system be presently believed to be safety and
It is effective: big integer factorization system (representative to have RSA), Discrete log systems (representative to have DSA) and ellipse from
It dissipates Logarithmic system (ECC).
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption
Or private key can be calculated in key exchange method, quantum computer by public key, therefore currently used asymmetric close
Key will become cannot withstand a single blow in the quantum epoch.Quantum key distribution equipment QKD can ensure that the key of negotiation can not be acquired at present.
But QKD is mainly used for quantum main line, ustomer premises access equipment to quantum communications service station is still classic network, therefore by non-right
Claim algorithm it is difficult to ensure that authentication procedures safety.
Problem of the existing technology:
1. using pool of symmetric keys between quantum communications service station and quantum key card, capacity is huge, to quantum communications
The key storage in service station brings pressure;
2. quantum communications service station, which has to encrypt key, to be stored in commonly since pool of symmetric keys key capacity is huge
In storage medium such as hard disk, and it can not be stored in the key card in quantum communications service station;
3. causing trouble to cipher key backup since pool of symmetric keys key capacity is huge.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide based on unsymmetrical key pond to and timestamp quantum it is logical
Telecommunications services station cryptographic key negotiation method and system.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real
It applies in masters, quantum communications service station cryptographic key negotiation method includes:
Parameters for authentication NA, encryption parameter KR are generated, the parameters for authentication NA encrypted using encryption parameter KR is sent to service station,
Utilize the encryption parameter KR of service station public key encryption;The parameters for authentication NA is used to generate bill TICKET for service station, described
Bill TICKET is used to verify for passive side;
The encryption parameter KA using masters public key encryption from service station is obtained, recognizing for encryption parameter KA encryption is utilized
Parameter NA, session key KAB and bill TICKET are demonstrate,proved, the session key KAB is generated by the service station;It decrypts and verifies
Session key KAB is trusted after the parameters for authentication NA sends the bill TICKET to passive side;The bill TICKET is used for
It is verified for the passive side;
Obtain the parameters for authentication NA and parameters for authentication NB encrypted using session key KAB from passive side, the certification
Parameter NB is generated by the passive side;Session key KAB is trusted after decryption, authentication verification parameter NA;It sends and utilizes to passive side
The parameters for authentication NB of session key KAB encryption, the parameters for authentication NB are verified for passive side and are trusted session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real
It applies in service station, quantum communications service station cryptographic key negotiation method includes:
The parameters for authentication NA encrypted using encryption parameter KR from masters is obtained, adding for service station public key encryption is utilized
Close parameter KR;The parameters for authentication NA, encryption parameter KR are generated by the masters;Generate session key KAB, encryption parameter
KA, encryption parameter KB, the time stamp T 1 of current time simultaneously make bill TICKET, including the use of passive in the bill TICKET
The encryption parameter KB of square public key encryption, the parameters for authentication NA encrypted using encryption parameter KB, session key KAB and timestamp
T1;The encryption parameter KA for utilizing masters public key encryption is sent to the masters, the certification using encryption parameter KA encryption is joined
Number NA, session key KAB and bill TICKET.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real
It applies in passive side, quantum communications service station cryptographic key negotiation method includes:
It receives the bill TICKET from masters and generates the time stamp T 2 of received message, packet in the bill TICKET
Include using passive side's public key encryption service station generate encryption parameter KB, using encryption parameter KB encryption by masters generate
Parameters for authentication NA, the session key KAB and time stamp T 1 that service station generates;It decrypts and verifies the time stamp T 1 and time stamp T 2
Between difference be less than or equal to preset value;Trust bill TICKET and generate parameters for authentication NB, Xiang Suoshu masters, which are sent, to be utilized
The parameters for authentication NA and parameters for authentication NB of the session key KAB encryption;The parameters for authentication NA is used to authenticate for masters;
The parameters for authentication NB for utilizing session key KAB encryption from masters is obtained, is decrypted and after authentication verification parameter NB
Trust session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, institute
Stating quantum communications service station cryptographic key negotiation method includes:
Masters generate parameters for authentication NA, encryption parameter KR, and the certification encrypted using encryption parameter KR is sent to service station
Parameter NA utilizes the encryption parameter KR of service station public key encryption;
Service station obtain and decrypt after generate session key KAB, encryption parameter KA, encryption parameter KB, current time when
Between stab T1 and make bill TICKET, including the use of the encryption parameter KB of passive side's public key encryption, benefit in the bill TICKET
The parameters for authentication NA encrypted with encryption parameter KB, session key KAB and time stamp T 1;It sends to the masters using actively
The encryption parameter KA of square public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and bill
TICKET;
The masters obtain, trust session key KAB after parameters for authentication NA described in decryption verification to passive side's transmission institute
State bill TICKET;
The passive side, which obtains, decrypts and verifies the difference between the time stamp T 1 and time stamp T 2, to be less than or equal to preset
Value;Trust bill TICKET and generate parameters for authentication NB, the transmission of Xiang Suoshu masters is recognized using what the session key KAB was encrypted
Demonstrate,prove parameter NA and parameters for authentication NB;
The masters obtain, decrypt, trust session key KAB after authentication verification parameter NA;It sends and utilizes to passive side
The parameters for authentication NB of session key KAB encryption;
The passive side obtains, trusts session key KAB after decryption and authentication verification parameter NB.
Further, the service station is divided into service station QA and service station QB, and the masters are that the son of service station QA is set
Standby, the passive side is the sub- equipment of service station QB;
The service station QA obtains the parameters for authentication NA encrypted using encryption parameter KR from masters, utilizes service station
The encryption parameter KR of public key encryption;Decrypt and generate the session key KAB and by the parameters for authentication NA and session key KAB
Encryption is sent to the service station QB;
The service station QB generates encryption parameter KB after obtaining and decrypting, and the time stamp T 1 of current time simultaneously makes bill
Including the use of the encryption parameter KB of passive side's public key encryption in TICKET, the bill TICKET, encrypted using encryption parameter KB
Parameters for authentication NA, session key KAB and time stamp T 1;The bill TICKET is sent to service station QA encryption;
The service station QA is obtained and is decrypted to generate encryption parameter KA after obtaining the bill TICKET, is sent to client
Using the encryption parameter KA of masters public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and
Bill TICKET.
Further, the session key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
This application discloses a kind of active method, apparatus, including memory and processor, the memory is stored with computer
Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program
The step of quotient's method.
This application discloses a kind of service station equipment, including memory and processor, the memory is stored with computer
Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program
The step of quotient's method.
This application discloses a kind of passive method, apparatus, including memory and processor, the memory is stored with computer
Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program
The step of quotient's method.
This application discloses the quantum communications service station identity authorization systems based on unsymmetrical key pond, including are equipped with actively
Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card
It is stored with service station public key pond, masters public key and masters private key;The passive side is configured with passive side's key card, described
Service station public key pond, passive side's public key and passive side's private key are stored in dynamic side's key card;The service station is configured with service
It stands key card, service station private key pond, masters public key pond and passive side's public key pond is stored in the service station key card;
Quantum described in above-mentioned technical proposal is realized by the communication network in the masters, passive side and service station
The step of communication service station cryptographic key negotiation method.
In the application, the key card used is independent hardware isolated equipment.Public key, private key and other relevant parameters are deposited
A possibility that storing up the data safety area in key card, stealing key by Malware or malicious operation substantially reduces, will not
It is obtained and is cracked by quantum computer.It is non-since nothing is related to the transmitting of public and private key and algorithm parameter in classic network
The risk that symmetric key is cracked is very low, in addition, encrypted transmission message is carried out using QKD between service station and service station, so
The safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly mentions
The high safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key to quantum communications service station simultaneously
Pressure is stored, carrying cost is reduced.For example, the pool of symmetric keys size of original users is 1G, user's number is N, then measures
Sub- communication service station needs to store the pool of keys of N number of G, and if storage unsymmetrical key pond, user terminal stores pool of keys size
It is similarly 1G, quantum communications service station equally only needs to store the pool of keys of 1G size.
Meanwhile the application improves the identifying procedure based on symmetric key algorithm, so that the data in identifying procedure
It is protected, can only be decrypted by private key owner by the data of public key encryption, all other men can not solve by asymmetric-key encryption
It is close, therefore improve the safety of the identifying procedure based on symmetric key algorithm.
Detailed description of the invention
Fig. 1 is the pool of keys distribution schematic diagram of service station key card in the present invention;
Fig. 2 is the pool of keys distribution schematic diagram of client key card in the present invention;
Fig. 3 is the authentication process figure of embodiment 1;
Fig. 4 is the authentication process figure of embodiment 2.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not
For limiting the application.Wherein the service station in the application is quantum communications service station in the case where not doing specified otherwise,
Each title in the application is subject to letter and number and is combined, such as Q, service station Q, service station indicate same meaning below,
That is service station Q;Such as device parameter IDA again, IDA hereinafter indicate that same meaning, i.e. device parameter IDA, remaining title are same
Reason.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real
It applies in masters, quantum communications service station cryptographic key negotiation method includes:
Parameters for authentication NA, encryption parameter KR are generated, the parameters for authentication NA encrypted using encryption parameter KR is sent to service station,
Utilize the encryption parameter KR of service station public key encryption;Parameters for authentication NA is used to generate bill TICKET, the bill for service station
TICKET is used to verify for passive side;
The encryption parameter KA using masters public key encryption from service station is obtained, recognizing for encryption parameter KA encryption is utilized
Demonstrate,prove parameter NA, session key KAB and bill TICKET;The session key KAB is generated by the service station;It decrypts and tests
Session key KAB is trusted to passive side's transmission bill TICKET after demonstrate,proving parameters for authentication NA;Bill TICKET for passive side for testing
It demonstrate,proves and generates parameters for authentication NB;
Obtain the parameters for authentication NA and parameters for authentication NB encrypted using session key KAB from passive side, the certification
Parameter NB is generated by the passive side;Session key KAB is trusted after decryption, authentication verification parameter NA;It sends and utilizes to passive side
The parameters for authentication NB of session key KAB encryption, parameters for authentication NB are verified for passive side and are trusted session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real
It applies in service station, quantum communications service station cryptographic key negotiation method includes:
The parameters for authentication NA encrypted using encryption parameter KR from masters is obtained, adding for service station public key encryption is utilized
Close parameter KR;Parameters for authentication NA, encryption parameter KR are generated by masters;Generate session key KAB, encryption parameter KA, encryption
Parameter KB, the time stamp T 1 of current time simultaneously make bill TICKET, including the use of passive side's public key encryption in bill TICKET
Encryption parameter KB, the parameters for authentication NA encrypted using encryption parameter KB, session key KAB and time stamp T 1;To masters
The encryption parameter KA for utilizing masters public key encryption is sent, the parameters for authentication NA, session key KAB encrypted using encryption parameter KA
And bill TICKET;The bill TICKET is used for for obtaining the session key KAB after passive side's verifying to be unfolded to communicate.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real
It applies in passive side, quantum communications service station cryptographic key negotiation method includes:
It receives the bill TICKET from masters and generates the time stamp T 2 of received message, include benefit in bill TICKET
Encryption parameter KB is generated with the service station of passive side's public key encryption, utilizes the certification of encryption parameter KB encryption generated by masters
Parameter NA, the session key KAB and time stamp T 1 that service station generates;Decrypt the difference simultaneously between verification time stamp T1 and time stamp T 2
Value is less than or equal to preset value;Trust bill TICKET and generate parameters for authentication NB, sends to masters and added using session key KAB
Close parameters for authentication NA and parameters for authentication NB;Parameters for authentication NA is used to authenticate for masters;
The parameters for authentication NB for utilizing session key KAB encryption from masters is obtained, is decrypted and after authentication verification parameter NB
Trust session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, amount
Sub- communication service station cryptographic key negotiation method includes:
Masters generate parameters for authentication NA, encryption parameter KR, and the certification encrypted using encryption parameter KR is sent to service station
Parameter NA utilizes the encryption parameter KR of service station public key encryption;
Service station obtain and decrypt after generate session key KAB, encryption parameter KA, encryption parameter KB, current time when
Between stab T1 and make bill TICKET, including the use of the encryption parameter KB of passive side's public key encryption in bill TICKET, using adding
The parameters for authentication NA of close parameter KB encryption, session key KAB and time stamp T 1;It sends to masters and is added using masters public key
Close encryption parameter KA, the parameters for authentication NA, session key KAB and bill TICKET encrypted using encryption parameter KA;
Masters obtain, trust session key KAB after decryption verification parameters for authentication NA to passive side's transmission bill TICKET;
Passive side obtains, decryption and the difference between verification time stamp T1 and time stamp T 2 are less than or equal to preset value;Trust
Bill TICKET simultaneously generates parameters for authentication NB, sends to masters and utilizes the session key KAB parameters for authentication NA encrypted and certification
Parameter NB;
Masters obtain, decrypt, trust session key KAB after authentication verification parameter NA;It is sent to passive side and utilizes session
The parameters for authentication NB of key KAB encryption;
Passive side obtains, trusts session key KAB after decryption and authentication verification parameter NB.
In one embodiment, as described in Example 1, service station is divided into service station QA and service station QB, and masters are service
It stands the sub- equipment of QA, passive side is the sub- equipment of service station QB;
Service station QA obtains the parameters for authentication NA encrypted using encryption parameter KR from masters, utilizes service station public key
The encryption parameter KR of encryption;It decrypts and generates session key KAB and parameters for authentication NA and session key KAB encryption is sent to clothes
Business station QB;
Service station QB generates encryption parameter KB after obtaining and decrypting, and the time stamp T 1 of current time simultaneously makes bill
Including the use of the encryption parameter KB of passive side's public key encryption in TICKET, bill TICKET, recognizing for encryption parameter KB encryption is utilized
Demonstrate,prove parameter NA, session key KAB and time stamp T 1;It is encrypted to service station QA and sends bill TICKET;
Service station QA is obtained and is decrypted to generate encryption parameter KA after obtaining bill TICKET, is sent to client using actively
The encryption parameter KA of square public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and bill
TICKET。
In one embodiment, session key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
This application discloses a kind of active method, apparatus, including memory and processor, memory to be stored with computer program,
The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses a kind of service station equipments, including memory and processor, memory to be stored with computer program,
The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses a kind of passive method, apparatus, including memory and processor, memory to be stored with computer program,
The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses the quantum communications service station identity authorization systems based on unsymmetrical key pond, including are equipped with actively
Side, passive side, service station and communication network;Masters are configured with masters key card, are stored with clothes in masters key card
Business station public key pond, masters public key and masters private key;Passive side is configured with passive side's key card, moves storage in side's key card
There are service station public key pond, passive side's public key and passive side's private key;Service station is configured with service station key card, service station key card
Inside it is stored with service station private key pond, masters public key pond and passive side's public key pond;
Masters, passive side and service station realize that quantum communications service station is close in above-mentioned technical proposal by communication network
The step of key machinery of consultation.
The practical realization scene of technical solution in the application can be at one based under unsymmetrical key pond body system
Any two object A, B carry out mutual authentication.Each object has key card in the pool of keys system of the application, can
The key for storing big data quantity also has the ability of processing information.In the application, all deposited in the local system of object A and object B
In the algorithm of corresponding demand.
The description of key card is visible, and application No. is the patents of " 201610843210.6 ".When for mobile terminal, key card
Preferably key SD card;When for fixed terminal, key card is preferably key USBkey or host key board.
With application No. is compared with the patent of " 201610843210.6 ", key card to issue mechanism different.This patent
The key card side of issuing be key card supervisor side, the generally administrative department of group, such as the pipe of certain enterprise or public institution
Reason department;The member's that the key card side of being awarded is managed by the supervisor side of key card, generally certain enterprise or public institution is each
Grade employee.Supervisor side's application that user terminal arrives key card first is opened an account.After user terminal carries out registering granted, it will obtain close
Key card (has unique key card ID).Key card stores client enrollment register information.Under same quantum communications service station
Public key pond in client key card is all downloaded from down the same Key Management server, and its each client key card for issuing
The public key pond of middle storage is completely the same.Preferably, the pool of keys size stored in key card can be 1G, 2G, 4G, 8G,
16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..
Key card is developed from smart card techniques, is combined with cryptological technique, hardware security isolation technology, quantum
The authentication of physics technology (in the case where carrying quantum random number generator) and encryption and decryption product.The embedded core of key card
Piece and operating system can provide the functions such as secure storage and the cryptographic algorithm of key.Since it is with independent data processing energy
Power and good safety, key card become the safety barrier of private key and pool of keys.Each key card has hardware PIN code guarantor
Shield, PIN code and hardware constitute two necessary factors that user uses key card.I.e. so-called " double factor authentication, " user only has
The key card and user's PIN code for saving relevant authentication information are obtained simultaneously, it just can be with login system.Even if the PIN code of user
It is leaked, as long as the key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the key of user
Card is lost, and the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.In short, key card makes key
It is not appeared in the disk and memory of host with plaintext version Deng top secret information, so as to which the safety of top-secret information is effectively ensured.
In the application, key card is divided into service station key card and client (i.e. masters and passive side) key card.Such as Fig. 1
Shown, it is private that the key zone of service station key card is mainly stored with client (including masters and passive side) public key pond and service station
Key pond;As shown in Fig. 2, the key zone of client (including masters and passive side) key card is mainly stored with service station public key pond
With a pair of of public private key pair.The key card is issued by Key Management server.
Key Management server can select a kind of algorithm for not only having supported encryption and decryption but also support signature before issuing key card.
Key Management server generates respective numbers according to the quantity of client and meets the number of the algorithm specification as private key and public key.
Key Management server generates the ID of respective numbers, and chooses the public private key pair of respective numbers, and public key therein and ID is taken to carry out
Combination obtains ID/ public key, and formation public key pond file in same file is written in the form of ID/ public key, i.e., above-mentioned client is public
Key pond.Meanwhile corresponding private key is also written to formation private key pond file in file by Key Management server in an identical manner,
That is client private key pond.The ID of each private key is identical as the ID of corresponding public key in client public key pond in client private key pond.It is close
Key management server generates the number for largely meeting the algorithm specification as private key and public key again.Key Management server will be public
Private key, which is respectively written into two files, forms service station public key pond and service station private key pond.Public key in the public key pond of service station with
The private key of same position is corresponding in the private key pond of service station.The first key card issued is defined as service station by Key Management server
Key card, and by service station private key pond and client public key pond and related algorithm parameter write-in key card key zone.Key
The subsequent key card issued of management server is client key card.Key Management server random number selection one is unallocated
ID distribute to key card, and public and private key and the service station public key pond of identical ID are taken from client public key pond and client private key pond
The key zone of key card is written, relevant parameter is written in key card together.
In the specific embodiment of the application, masters are referred to customer end A, refer to passive side with customer end B.
Embodiment 1
System explanation
The scene of the present embodiment is as shown in figure 3, in this figure, including customer end A, that is, masters, customer end B, that is, passive side, clothes
Business station includes quantum communications service station QA and quantum communications service station QB, referred to as service station QA and service station QB.QA and QB points
It Dai You not respective Key Management server.Customer end A and customer end B are equipped with client key card, quantum communications service station
QA and quantum communications service station QB is furnished with service station key card.Above-mentioned customer end A belongs to quantum communications service station QA, client
B belongs to quantum communications service station QB, i.e. the key card of A, B is issued by the Key Management server of QA, QB respectively.If client
Holding the ID of A is IDA, public key PKA, private key SKA;If the ID of customer end B is IDB, public key PKB, private key SKB.
Step 1: customer end A initiates the ID authentication request with customer end B to service station QA.
It includes IDA that customer end A, which generates in request Request, Request with the authentication of customer end B, | | IDB and
Other necessary informations.Customer end A generates true random number KR and NA according to matched randomizer, and customer end A utilizes KR pairs
Request and NA carry out symmetric cryptography and obtain { Request | | NA } KR.
Customer end A generates a true random number RI according to matched randomizer, and by true random number RI by non-
Cipher key location pointer kpI is calculated in symmetric key pointer function fkp.Customer end A is according to cipher key location pointer from own key
The public key PKQAI of service station QA is taken out in service station public key pond in card.Customer end A is encrypted to obtain using PKQAI to KR
{KR}PKQAI。
Customer end A is by RI | | and Request | | NA } KR | | { KR } PKQAI is sent to service station QA.
Step 2: quantum communications service station QA forwards the request to quantum communications service station QB.
Service station QA is according to receiving RI | | and Request | | NA } KR | | after { KR } PKQAI, true random number RI is passed through non-
Cipher key location pointer kpI is calculated in symmetric key pointer function fkp.Service station QA is according to cipher key location pointer from own key
Own private key SKQAI is taken out in service station private key pond in card.Service station QA is decrypted { KR } PKQAI using SKQA1
To KR.Service station QA decrypts to obtain Request and NA using the obtained KR of decryption to { Request | | NA } KR.
Service station QA generates the session key KAB between customer end A and customer end B according to matched key card, utilizes QKD
Negotiation key pair Request | | NA | | KAB } encrypted after be sent to QB.
Step 3: TICKET is sent back quantum communications service station QA by quantum communications service station QB.
Service station QB receives the message from service station QA, is decrypted to obtain Request using the key that QKD negotiates
||NA||KAB。
Service station QB generates a true random number KB, and using KB to Request | | NA | | KAB carries out symmetric cryptography.Together
When be encrypted there are one service station QB obtain when time T1 as timestamp.Then service station QB is according in Request
The public key PKB that IDB extracts customer end B in client public key pond encrypts KB, obtain Request | | NA | | KAB | |
T1 } KB | | { KB } PKB is as TICKET.QA is sent to after being encrypted using the key pair TICKET that QKD negotiates.
Step 4: TICKET is sent to customer end A by quantum communications service station QA.
After service station QA receives the TICKET of QKD key encryption, after the decryption of QKD key, true random number KA is generated,
Using KA to TICKET and Request | | NA | | KAB is encrypted.According to the IDA in Request in client public key pond
The public key PKA for extracting customer end A encrypts KA.Will Request | | NA | | KAB | | TICKET } KA | | { KA } PKA is sent
To customer end A.
Step 5: TICKET being sent to customer end B after customer end A verification information.
Customer end A decrypts to obtain KA using private key SKA, decrypts to obtain Request using KA | | NA | | KAB | | TICKET,
Whether equal with local NA identify NA, if equal, trusts KAB as the session key communicated with user terminal B.Then will
TICKET is sent to customer end B.
Step 6: the customer end B verification time stabs validity.
After customer end B receives TICKET, the local zone time T2 of received message is taken.It decrypts to obtain using the private key SKB of oneself
KB decrypts to obtain Request using KB | | NA | | KAB | | T1.If the absolute value of the difference of T2 and T1 is not more than time threshold △
T, i.e., | T2-T1 |≤△ T, then it is effective for trusting TICKET.△ T may be configured as 10s.
Customer end B generates random number N B according to matched random number generator, is sent to client using KAB encryption NA and NB
Hold A.
Step 7: customer end A Authentication Client B is simultaneously replied.
After customer end A receives { NA | | NB } KAB of customer end B transmission, decrypt to obtain NA and NB using KAB.Customer end A
Whether equal with local NA identify NA, if equal, passes through the certification to user terminal B.Then customer end A encrypts NB using KAB
It is sent to customer end B.
Step 8: customer end B completes the certification to customer end A.
After customer end B receives { NB } KAB of customer end A transmission, decrypt to obtain NB using KAB, whether customer end B identifies NB
It is equal with local NB, if equal, pass through the certification to user terminal A.Negotiate the session key completed between confirmation and user terminal A
For KAB.
Rapid 9: customer end A is securely communicated with user terminal B.
Customer end A and customer end B can carry out message encryption and decryption and message authentication using key KAB.Preferably, KAB is torn open
It is divided into KABE and KABA, respectively as message encryption and decryption and message authentication key.
Embodiment 2
System explanation
The scene of the present embodiment as shown in figure 4, in this figure, including customer end A, that is, masters, customer end B, that is, passive side and
Quantum communications service station Q, that is, service station, referred to as service station Q.Customer end A and customer end B are equipped with client key card, quantum
Communication service station Q is furnished with service station key card.Above-mentioned key card is the same batch that the same Key Management server is issued
Key card.If the ID of customer end A is IDA, public key PKA, private key SKA;If the ID of customer end B be IDB, public key PKB,
Private key is SKB.
Step 1: customer end A initiates the ID authentication request with customer end B to service station Q.
It includes IDA that customer end A, which generates in request Request, Request with the authentication of customer end B, | | IDB and
Other necessary informations.Customer end A generates true random number KR and NA according to matched randomizer, and customer end A utilizes KR pairs
Request and NA carry out symmetric cryptography and obtain { Request | | NA } KR.
Customer end A generates a true random number R according to matched randomizer, and by true random number R by non-right
Claim key indicator function fkp that cipher key location pointer kp is calculated.Customer end A is according to cipher key location pointer from own key card
Service station public key pond in take out service station Q public key PKQ.Customer end A encrypts KR using PKQA to obtain { KR } PKQ.
Customer end A is by R | | and Request | | NA } KR | | { KR } PKQ is sent to service station Q.
Step 2: quantum communications service station Q generates session key and makes TICKET.
Service station Q is according to receiving R | | and Request | | NA } KR | | after { KR } PKQ, true random number R is passed through asymmetric
Cipher key location pointer kp is calculated in key indicator function fkp.Service station Q is according to cipher key location pointer from own key card
Own private key SKQ is taken out in the private key pond of service station.Service station Q is decrypted to obtain KR using SKQ to { KR } PKQ.Service station Q benefit
{ Request | | NA } KR is decrypted to obtain Request and NA with the obtained KR of decryption.
Service station Q generates the session key KAB between customer end A and customer end B according to matched key card, also generates two
A key KA and KB.Using KB to Request | | NA | | KAB carries out symmetric cryptography, at the same be encrypted there are one service station Q
It obtains when time T1 is as timestamp.Then service station Q extracts client in client public key pond according to the IDB in Request
The public key PKB of end B encrypts KB, obtain Request | | NA | | KAB | | T1 } KB | | { KB } PKB is as TICKET.Then
Service station Q is using KA to TICKET and Request | | NA | | KAB is encrypted.According to the IDA in Request in client
The public key PKA that customer end A is extracted in public key pond encrypts KA.Will Request | | NA | | KAB | | TICKET } KA | | { KA }
PKA is sent to customer end A.
Step 3: TICKET being sent to customer end B after customer end A verification information.
Customer end A decrypts to obtain KA using private key SKA, decrypts to obtain Request using KA | | NA | | KAB | | TICKET,
Whether equal with local NA identify NA, if equal, trusts KAB as the session key communicated with user terminal B.Then will
TICKET is sent to customer end B.
Step 4: the customer end B verification time stabs validity.
After customer end B receives TICKET, the local zone time T2 of received message is taken.It decrypts to obtain using the private key SKB of oneself
KB decrypts to obtain Request using KB | | NA | | KAB | | T1.If the absolute value of the difference of T2 and T1 is not more than preset value, immediately
Between threshold value △ T, | T2-T1 |≤△ T, then it is effective for trusting TICKET.△ T may be configured as 10s.
Customer end B generates random number N B according to matched random number generator, is sent to client using KAB encryption NA and NB
Hold A.
Step 5: customer end A Authentication Client B is simultaneously replied.
After customer end A receives { NA | | NB } KAB of customer end B transmission, decrypt to obtain NA and NB using KAB.Customer end A
Whether equal with local NA identify NA, if equal, passes through the certification to user terminal B.Then customer end A encrypts NB using KAB
It is sent to customer end B.
Step 6: customer end B completes the certification to customer end A.
After customer end B receives { NB } KAB of customer end A transmission, decrypt to obtain NB using KAB, whether customer end B identifies NB
It is equal with local NB, if equal, pass through the certification to user terminal A.Negotiate the session key completed between confirmation and user terminal A
For KAB.
Step 7: customer end A is securely communicated with user terminal B.
Customer end A and customer end B can carry out message encryption and decryption and message authentication using key KAB.Preferably, KAB is torn open
It is divided into KABE and KABA, respectively as message encryption and decryption and message authentication key.
Wherein implement according in the available claim of conclusion of the specific steps of technical solution disclosed above in master
Dynamic side based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement the base in passive side
In unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and implement in service station based on non-
Pool of symmetric keys to and timestamp quantum communications service station cryptographic key negotiation method, therefore repeat no more.
Specific restriction about active method, apparatus, passive method, apparatus and service station equipment and system may refer to above
In restriction for quantum communications service station authentication method, details are not described herein.Modules in above-mentioned each equipment can be whole
Or part is realized by software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of computer
In processor in equipment, it can also be stored in a software form in the memory in computer equipment, in order to processor tune
With the corresponding operation of the above modules of execution.
In one embodiment, a kind of computer equipment is provided, which can be server, internal junction
Composition can be as shown in Figure 3.The computer equipment include by system bus connect processor, memory, network interface and
Database.Wherein, the processor of the computer equipment is for providing calculating and control ability.The memory packet of the computer equipment
Include non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program and data
Library.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The calculating
The database of machine equipment is used to store the related data of authentication.The network interface of the computer equipment is used for and external end
End passes through network connection communication.When the computer program is executed by processor with realize be based on unsymmetrical key pond to and timestamp
Quantum communications service station cryptographic key negotiation method.
It will be understood by those skilled in the art that structure shown in Fig. 3, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
To any reference of memory, storage, database or other media used in each embodiment provided herein,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment
In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance
Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art
It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application
Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (10)
1. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement in masters,
It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
Parameters for authentication NA, encryption parameter KR are generated, the parameters for authentication NA encrypted using encryption parameter KR is sent to service station, is utilized
The encryption parameter KR of service station public key encryption;The parameters for authentication NA is used to generate bill TICKET for the service station, described
Bill TICKET is used to verify for passive side;
The encryption parameter KA using masters public key encryption from service station is obtained, the certification using encryption parameter KA encryption is joined
Number NA, session key KAB and bill TICKET, the session key KAB are generated by the service station;It decrypts and verifies described
Session key KAB is trusted after parameters for authentication NA sends the bill TICKET to passive side;The bill TICKET is used for for institute
State passive side's verifying;
Obtain the parameters for authentication NA and parameters for authentication NB encrypted using session key KAB from passive side, the parameters for authentication
NB is generated by the passive side;Session key KAB is trusted after decryption, authentication verification parameter NA;It is sent to passive side and utilizes session
The parameters for authentication NB of key KAB encryption, the parameters for authentication NB are verified for passive side and are trusted session key KAB.
2. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement in service station,
It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
The parameters for authentication NA encrypted using encryption parameter KR from masters is obtained, is joined using the encryption of service station public key encryption
Number KR;The parameters for authentication NA, encryption parameter KR are generated by the masters;Session key KAB, encryption parameter KA are generated,
Encryption parameter KB, the time stamp T 1 of current time simultaneously make bill TICKET, including the use of passive side in the bill TICKET
The encryption parameter KB of public key encryption, the parameters for authentication NA encrypted using encryption parameter KB, session key KAB and time stamp T 1;
The encryption parameter KA for utilizing masters public key encryption is sent to the masters, the parameters for authentication encrypted using encryption parameter KA
NA, session key KAB and bill TICKET.
3. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement in passive side,
It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
It receives the bill TICKET from masters and generates the time stamp T 2 of received message, include benefit in the bill TICKET
Encryption parameter KB is generated with the service station of passive side's public key encryption, utilizes the certification of encryption parameter KB encryption generated by masters
Parameter NA, the session key KAB and time stamp T 1 that service station generates;It decrypts and verifies between the time stamp T 1 and time stamp T 2
Difference be less than or equal to preset value;Trust bill TICKET and generate parameters for authentication NB, Xiang Suoshu masters are sent described in utilization
The parameters for authentication NA and parameters for authentication NB of session key KAB encryption;The parameters for authentication NA is used to authenticate for masters;
The parameters for authentication NB for utilizing session key KAB encryption from masters is obtained, decrypt and is trusted after authentication verification parameter NB
Session key KAB.
4. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, which is characterized in that it is described
Quantum communications service station cryptographic key negotiation method includes:
Masters generate parameters for authentication NA, encryption parameter KR, and the parameters for authentication encrypted using encryption parameter KR is sent to service station
NA utilizes the encryption parameter KR of service station public key encryption;
Service station generates session key KAB, encryption parameter KA, encryption parameter KB, the timestamp of current time after obtaining and decrypting
T1 simultaneously makes bill TICKET, including the use of the encryption parameter KB of passive side's public key encryption in the bill TICKET, using adding
The parameters for authentication NA of close parameter KB encryption, session key KAB and time stamp T 1;It is sent to the masters public using masters
The encryption parameter KA of key encryption, the parameters for authentication NA, session key KAB and bill TICKET encrypted using encryption parameter KA;
The masters obtain, trust session key KAB after parameters for authentication NA described in decryption verification to passive side's transmission ticket
According to TICKET;
The passive side, which obtains, decrypts and verifies the difference between the time stamp T 1 and time stamp T 2, is less than or equal to preset value;
Trust bill TICKET and generate parameters for authentication NB, Xiang Suoshu masters send the certification using session key KAB encryption
Parameter NA and parameters for authentication NB;
The masters obtain, decrypt, trust session key KAB after authentication verification parameter NA;It is sent to passive side and utilizes session
The parameters for authentication NB of key KAB encryption;
The passive side obtains, trusts session key KAB after decryption and authentication verification parameter NB.
5. such as the described in any item quantum communications service station cryptographic key negotiation methods of Claims 1-4, which is characterized in that the clothes
Business station is divided into service station QA and service station QB, and the masters are the sub- equipment of service station QA, and the passive side is service station QB
Sub- equipment;
The service station QA obtains the parameters for authentication NA encrypted using encryption parameter KR from masters, utilizes service station public key
The encryption parameter KR of encryption;It decrypts and generates the session key KAB and encrypt the parameters for authentication NA and session key KAB
It is sent to the service station QB;
The service station QB generates encryption parameter KB after obtaining and decrypting, and the time stamp T 1 of current time simultaneously makes bill
Including the use of the encryption parameter KB of passive side's public key encryption in TICKET, the bill TICKET, encrypted using encryption parameter KB
Parameters for authentication NA, session key KAB and time stamp T 1;The bill TICKET is sent to service station QA encryption;
The service station QA is obtained and is decrypted to generate encryption parameter KA after obtaining the bill TICKET, is sent and is utilized to client
The encryption parameter KA of masters public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and bill
TICKET。
6. such as the described in any item quantum communications service station cryptographic key negotiation methods of Claims 1-4, which is characterized in that the meeting
Words key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
7. a kind of active method, apparatus, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station key agreement side described in claim 1 when executing the computer program
The step of method.
8. a kind of service station equipment, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station key agreement side described in claim 2 when executing the computer program
The step of method.
9. a kind of passive method, apparatus, including memory and processor, the memory are stored with computer program, feature exists
In the processor realizes quantum communications service station key agreement side described in claim 3 when executing the computer program
The step of method.
10. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, which is characterized in that including
Equipped with masters, passive side, service station and communication network;The masters are configured with masters key card, the masters
Service station public key pond, masters public key and masters private key are stored in key card;The passive side is close configured with passive side
Key card is stored with service station public key pond, passive side's public key and passive side's private key in dynamic side's key card;Match in the service station
It is equipped with service station key card, service station private key pond, masters public key pond and passive side are stored in the service station key card
Public key pond;
The masters, passive side and service station realize that quantum communications described in claim 4 take by the communication network
The step of business station cryptographic key negotiation method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910325032.1A CN110086627B (en) | 2019-04-22 | 2019-04-22 | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910325032.1A CN110086627B (en) | 2019-04-22 | 2019-04-22 | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110086627A true CN110086627A (en) | 2019-08-02 |
CN110086627B CN110086627B (en) | 2023-08-04 |
Family
ID=67416078
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910325032.1A Active CN110086627B (en) | 2019-04-22 | 2019-04-22 | Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110086627B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111245609A (en) * | 2020-01-17 | 2020-06-05 | 南京如般量子科技有限公司 | Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160044007A1 (en) * | 2013-03-28 | 2016-02-11 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and device for establishing session keys |
CN105763563A (en) * | 2016-04-19 | 2016-07-13 | 浙江神州量子网络科技有限公司 | Identity authentication method during quantum secret key application process |
CN106357396A (en) * | 2016-09-23 | 2017-01-25 | 浙江神州量子网络科技有限公司 | Digital signature method, digital signature system and quantum key card |
US20170338951A1 (en) * | 2016-05-19 | 2017-11-23 | Alibaba Group Holding Limited | Method and system for secure data transmission |
CN108574569A (en) * | 2017-03-08 | 2018-09-25 | 中国移动通信有限公司研究院 | A kind of authentication method and authentication device based on quantum key |
CN108768653A (en) * | 2018-03-01 | 2018-11-06 | 如般量子科技有限公司 | Identity authorization system based on quantum key card |
CN109450623A (en) * | 2018-10-16 | 2019-03-08 | 如般量子科技有限公司 | Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond |
-
2019
- 2019-04-22 CN CN201910325032.1A patent/CN110086627B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160044007A1 (en) * | 2013-03-28 | 2016-02-11 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method and device for establishing session keys |
CN105763563A (en) * | 2016-04-19 | 2016-07-13 | 浙江神州量子网络科技有限公司 | Identity authentication method during quantum secret key application process |
US20170338951A1 (en) * | 2016-05-19 | 2017-11-23 | Alibaba Group Holding Limited | Method and system for secure data transmission |
CN107404461A (en) * | 2016-05-19 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Data safe transmission method, client and service end method, apparatus and system |
CN106357396A (en) * | 2016-09-23 | 2017-01-25 | 浙江神州量子网络科技有限公司 | Digital signature method, digital signature system and quantum key card |
CN108574569A (en) * | 2017-03-08 | 2018-09-25 | 中国移动通信有限公司研究院 | A kind of authentication method and authentication device based on quantum key |
CN108768653A (en) * | 2018-03-01 | 2018-11-06 | 如般量子科技有限公司 | Identity authorization system based on quantum key card |
CN109450623A (en) * | 2018-10-16 | 2019-03-08 | 如般量子科技有限公司 | Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond |
Non-Patent Citations (2)
Title |
---|
DENIS BUTIN: "Post-quantum authentication in OpenSSL with hash-based signatures" * |
魏振宇;芦翔;史庭俊;: "基于PKI体系的跨域密钥协商协议" * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111245609A (en) * | 2020-01-17 | 2020-06-05 | 南京如般量子科技有限公司 | Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof |
CN111245609B (en) * | 2020-01-17 | 2023-02-28 | 南京如般量子科技有限公司 | Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof |
Also Published As
Publication number | Publication date |
---|---|
CN110086627B (en) | 2023-08-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1689297B (en) | Method of preventing unauthorized distribution and use of electronic keys using a key seed | |
CN106357401B (en) | A kind of storage of private key and application method | |
US6073237A (en) | Tamper resistant method and apparatus | |
JP4866863B2 (en) | Security code generation method and user device | |
CN104184743B (en) | Towards three layers of Verification System and authentication method of cloud computing platform | |
Rezaeighaleh et al. | New secure approach to backup cryptocurrency wallets | |
CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
US11831753B2 (en) | Secure distributed key management system | |
CN110138548A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system | |
CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
CN111274599A (en) | Data sharing method based on block chain and related device | |
CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
CN105653986A (en) | Micro SD card-based data protection method and device | |
CN110135175A (en) | Information processing, acquisition methods, device, equipment and medium based on block chain | |
CN109347813A (en) | Internet of things equipment login method, system, computer equipment and storage medium | |
CN110505055A (en) | Based on unsymmetrical key pond to and key card outer net access identity authentication method and system | |
CN108537537A (en) | A kind of safe and reliable digital cash Wallet System | |
CN110098925A (en) | Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system | |
KR20090019576A (en) | Certification method and system for a mobile phone | |
US20120284787A1 (en) | Personal Secured Access Devices | |
CN113643134A (en) | Internet of things block chain transaction method and system based on multi-key homomorphic encryption | |
CN110176989B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool | |
CN108667801A (en) | A kind of Internet of Things access identity safety certifying method and system | |
CN110493177A (en) | Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system | |
CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |