CN110086627A - Based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system - Google Patents

Based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system Download PDF

Info

Publication number
CN110086627A
CN110086627A CN201910325032.1A CN201910325032A CN110086627A CN 110086627 A CN110086627 A CN 110086627A CN 201910325032 A CN201910325032 A CN 201910325032A CN 110086627 A CN110086627 A CN 110086627A
Authority
CN
China
Prior art keywords
key
service station
encryption
authentication
parameters
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910325032.1A
Other languages
Chinese (zh)
Other versions
CN110086627B (en
Inventor
富尧
钟一民
杨羽成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910325032.1A priority Critical patent/CN110086627B/en
Publication of CN110086627A publication Critical patent/CN110086627A/en
Application granted granted Critical
Publication of CN110086627B publication Critical patent/CN110086627B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0872Generation of secret information including derivation or calculation of cryptographic keys or passwords using geo-location information, e.g. location data, time, relative position or proximity to other entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

This application involves based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and system.In the application, the key card used is independent hardware isolated equipment.A possibility that public key, private key and other relevant parameters are stored in the data safety area in key card, steal key by Malware or malicious operation substantially reduces, and will not be obtained and be cracked by quantum computer;The application improves the identifying procedure based on symmetric key algorithm simultaneously; so that the data in identifying procedure are protected by asymmetric-key encryption; it can only be decrypted by private key owner by the data of public key encryption; all other men can not decrypt, therefore improve the safety of the identifying procedure based on symmetric key algorithm.

Description

Based on unsymmetrical key pond to and timestamp quantum communications service station key agreement side Method and system
Technical field
This application involves safety communication technology field, more particularly to based on unsymmetrical key pond to and timestamp quantum Communication service station cryptographic key negotiation method and system.
Background technique
The Internet of rapid development brings huge convenience to people's lives, work, and people can be sitting in family It sent and received e-mail, made a phone call by Internet, carrying out the activities such as shopping online, bank transfer.The network information security simultaneously It is increasingly becoming a potential huge problem.In general the network information is faced with following several security risks: the network information It is stolen, information is tampered, attacker palms off information, malicious sabotage etc..
Wherein authentication is a kind of means of one of protection people's network information.Authentication is also referred to as " identity Verifying " or " identity identifies, " refer to the process of confirmation operation person's identity in computer and computer network system, so that it is determined that Whether the user has access and access right to certain resource, and then enables the access strategy of computer and networks system It reliably and efficiently executes, prevents attacker from palming off the access authority that legitimate user obtains resource, guarantee the peace of system and data Entirely, and authorization visitor legitimate interests.
And currently ensure that authentication successfully mainly relies on cryptographic technique, and in field of cryptography of today, it is main Will there are two types of cryptographic system, first is that symmetric key cryptosystem, i.e. encryption key and decruption key use it is same.The other is Public key cryptosystem, i.e. encryption key and decruption key difference, one of them can be disclosed.Current most identity is recognized Card relies primarily on public key cryptography system using algorithm.
The encryption key pair (public key) and decryption key (private key) that Public Key Cryptographic Systems uses are different.Due to encryption Key be it is disclosed, the distribution of key and management are just very simple, and Public Key Cryptographic Systems can also be easily carried out number Signature.
Since public key encryption comes out, scholars propose many kinds of public key encryption methods, their safety is all base In complicated difficult math question.Classified according to the difficult math question being based on, have following three classes system be presently believed to be safety and It is effective: big integer factorization system (representative to have RSA), Discrete log systems (representative to have DSA) and ellipse from It dissipates Logarithmic system (ECC).
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption Or private key can be calculated in key exchange method, quantum computer by public key, therefore currently used asymmetric close Key will become cannot withstand a single blow in the quantum epoch.Quantum key distribution equipment QKD can ensure that the key of negotiation can not be acquired at present. But QKD is mainly used for quantum main line, ustomer premises access equipment to quantum communications service station is still classic network, therefore by non-right Claim algorithm it is difficult to ensure that authentication procedures safety.
Problem of the existing technology:
1. using pool of symmetric keys between quantum communications service station and quantum key card, capacity is huge, to quantum communications The key storage in service station brings pressure;
2. quantum communications service station, which has to encrypt key, to be stored in commonly since pool of symmetric keys key capacity is huge In storage medium such as hard disk, and it can not be stored in the key card in quantum communications service station;
3. causing trouble to cipher key backup since pool of symmetric keys key capacity is huge.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide based on unsymmetrical key pond to and timestamp quantum it is logical Telecommunications services station cryptographic key negotiation method and system.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real It applies in masters, quantum communications service station cryptographic key negotiation method includes:
Parameters for authentication NA, encryption parameter KR are generated, the parameters for authentication NA encrypted using encryption parameter KR is sent to service station, Utilize the encryption parameter KR of service station public key encryption;The parameters for authentication NA is used to generate bill TICKET for service station, described Bill TICKET is used to verify for passive side;
The encryption parameter KA using masters public key encryption from service station is obtained, recognizing for encryption parameter KA encryption is utilized Parameter NA, session key KAB and bill TICKET are demonstrate,proved, the session key KAB is generated by the service station;It decrypts and verifies Session key KAB is trusted after the parameters for authentication NA sends the bill TICKET to passive side;The bill TICKET is used for It is verified for the passive side;
Obtain the parameters for authentication NA and parameters for authentication NB encrypted using session key KAB from passive side, the certification Parameter NB is generated by the passive side;Session key KAB is trusted after decryption, authentication verification parameter NA;It sends and utilizes to passive side The parameters for authentication NB of session key KAB encryption, the parameters for authentication NB are verified for passive side and are trusted session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real It applies in service station, quantum communications service station cryptographic key negotiation method includes:
The parameters for authentication NA encrypted using encryption parameter KR from masters is obtained, adding for service station public key encryption is utilized Close parameter KR;The parameters for authentication NA, encryption parameter KR are generated by the masters;Generate session key KAB, encryption parameter KA, encryption parameter KB, the time stamp T 1 of current time simultaneously make bill TICKET, including the use of passive in the bill TICKET The encryption parameter KB of square public key encryption, the parameters for authentication NA encrypted using encryption parameter KB, session key KAB and timestamp T1;The encryption parameter KA for utilizing masters public key encryption is sent to the masters, the certification using encryption parameter KA encryption is joined Number NA, session key KAB and bill TICKET.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real It applies in passive side, quantum communications service station cryptographic key negotiation method includes:
It receives the bill TICKET from masters and generates the time stamp T 2 of received message, packet in the bill TICKET Include using passive side's public key encryption service station generate encryption parameter KB, using encryption parameter KB encryption by masters generate Parameters for authentication NA, the session key KAB and time stamp T 1 that service station generates;It decrypts and verifies the time stamp T 1 and time stamp T 2 Between difference be less than or equal to preset value;Trust bill TICKET and generate parameters for authentication NB, Xiang Suoshu masters, which are sent, to be utilized The parameters for authentication NA and parameters for authentication NB of the session key KAB encryption;The parameters for authentication NA is used to authenticate for masters;
The parameters for authentication NB for utilizing session key KAB encryption from masters is obtained, is decrypted and after authentication verification parameter NB Trust session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, institute Stating quantum communications service station cryptographic key negotiation method includes:
Masters generate parameters for authentication NA, encryption parameter KR, and the certification encrypted using encryption parameter KR is sent to service station Parameter NA utilizes the encryption parameter KR of service station public key encryption;
Service station obtain and decrypt after generate session key KAB, encryption parameter KA, encryption parameter KB, current time when Between stab T1 and make bill TICKET, including the use of the encryption parameter KB of passive side's public key encryption, benefit in the bill TICKET The parameters for authentication NA encrypted with encryption parameter KB, session key KAB and time stamp T 1;It sends to the masters using actively The encryption parameter KA of square public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and bill TICKET;
The masters obtain, trust session key KAB after parameters for authentication NA described in decryption verification to passive side's transmission institute State bill TICKET;
The passive side, which obtains, decrypts and verifies the difference between the time stamp T 1 and time stamp T 2, to be less than or equal to preset Value;Trust bill TICKET and generate parameters for authentication NB, the transmission of Xiang Suoshu masters is recognized using what the session key KAB was encrypted Demonstrate,prove parameter NA and parameters for authentication NB;
The masters obtain, decrypt, trust session key KAB after authentication verification parameter NA;It sends and utilizes to passive side The parameters for authentication NB of session key KAB encryption;
The passive side obtains, trusts session key KAB after decryption and authentication verification parameter NB.
Further, the service station is divided into service station QA and service station QB, and the masters are that the son of service station QA is set Standby, the passive side is the sub- equipment of service station QB;
The service station QA obtains the parameters for authentication NA encrypted using encryption parameter KR from masters, utilizes service station The encryption parameter KR of public key encryption;Decrypt and generate the session key KAB and by the parameters for authentication NA and session key KAB Encryption is sent to the service station QB;
The service station QB generates encryption parameter KB after obtaining and decrypting, and the time stamp T 1 of current time simultaneously makes bill Including the use of the encryption parameter KB of passive side's public key encryption in TICKET, the bill TICKET, encrypted using encryption parameter KB Parameters for authentication NA, session key KAB and time stamp T 1;The bill TICKET is sent to service station QA encryption;
The service station QA is obtained and is decrypted to generate encryption parameter KA after obtaining the bill TICKET, is sent to client Using the encryption parameter KA of masters public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and Bill TICKET.
Further, the session key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
This application discloses a kind of active method, apparatus, including memory and processor, the memory is stored with computer Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program The step of quotient's method.
This application discloses a kind of service station equipment, including memory and processor, the memory is stored with computer Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program The step of quotient's method.
This application discloses a kind of passive method, apparatus, including memory and processor, the memory is stored with computer Program, the processor realize the association of quantum communications service station key described in above-mentioned technical proposal when executing the computer program The step of quotient's method.
This application discloses the quantum communications service station identity authorization systems based on unsymmetrical key pond, including are equipped with actively Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card It is stored with service station public key pond, masters public key and masters private key;The passive side is configured with passive side's key card, described Service station public key pond, passive side's public key and passive side's private key are stored in dynamic side's key card;The service station is configured with service It stands key card, service station private key pond, masters public key pond and passive side's public key pond is stored in the service station key card;
Quantum described in above-mentioned technical proposal is realized by the communication network in the masters, passive side and service station The step of communication service station cryptographic key negotiation method.
In the application, the key card used is independent hardware isolated equipment.Public key, private key and other relevant parameters are deposited A possibility that storing up the data safety area in key card, stealing key by Malware or malicious operation substantially reduces, will not It is obtained and is cracked by quantum computer.It is non-since nothing is related to the transmitting of public and private key and algorithm parameter in classic network The risk that symmetric key is cracked is very low, in addition, encrypted transmission message is carried out using QKD between service station and service station, so The safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly mentions The high safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key to quantum communications service station simultaneously Pressure is stored, carrying cost is reduced.For example, the pool of symmetric keys size of original users is 1G, user's number is N, then measures Sub- communication service station needs to store the pool of keys of N number of G, and if storage unsymmetrical key pond, user terminal stores pool of keys size It is similarly 1G, quantum communications service station equally only needs to store the pool of keys of 1G size.
Meanwhile the application improves the identifying procedure based on symmetric key algorithm, so that the data in identifying procedure It is protected, can only be decrypted by private key owner by the data of public key encryption, all other men can not solve by asymmetric-key encryption It is close, therefore improve the safety of the identifying procedure based on symmetric key algorithm.
Detailed description of the invention
Fig. 1 is the pool of keys distribution schematic diagram of service station key card in the present invention;
Fig. 2 is the pool of keys distribution schematic diagram of client key card in the present invention;
Fig. 3 is the authentication process figure of embodiment 1;
Fig. 4 is the authentication process figure of embodiment 2.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not For limiting the application.Wherein the service station in the application is quantum communications service station in the case where not doing specified otherwise, Each title in the application is subject to letter and number and is combined, such as Q, service station Q, service station indicate same meaning below, That is service station Q;Such as device parameter IDA again, IDA hereinafter indicate that same meaning, i.e. device parameter IDA, remaining title are same Reason.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real It applies in masters, quantum communications service station cryptographic key negotiation method includes:
Parameters for authentication NA, encryption parameter KR are generated, the parameters for authentication NA encrypted using encryption parameter KR is sent to service station, Utilize the encryption parameter KR of service station public key encryption;Parameters for authentication NA is used to generate bill TICKET, the bill for service station TICKET is used to verify for passive side;
The encryption parameter KA using masters public key encryption from service station is obtained, recognizing for encryption parameter KA encryption is utilized Demonstrate,prove parameter NA, session key KAB and bill TICKET;The session key KAB is generated by the service station;It decrypts and tests Session key KAB is trusted to passive side's transmission bill TICKET after demonstrate,proving parameters for authentication NA;Bill TICKET for passive side for testing It demonstrate,proves and generates parameters for authentication NB;
Obtain the parameters for authentication NA and parameters for authentication NB encrypted using session key KAB from passive side, the certification Parameter NB is generated by the passive side;Session key KAB is trusted after decryption, authentication verification parameter NA;It sends and utilizes to passive side The parameters for authentication NB of session key KAB encryption, parameters for authentication NB are verified for passive side and are trusted session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real It applies in service station, quantum communications service station cryptographic key negotiation method includes:
The parameters for authentication NA encrypted using encryption parameter KR from masters is obtained, adding for service station public key encryption is utilized Close parameter KR;Parameters for authentication NA, encryption parameter KR are generated by masters;Generate session key KAB, encryption parameter KA, encryption Parameter KB, the time stamp T 1 of current time simultaneously make bill TICKET, including the use of passive side's public key encryption in bill TICKET Encryption parameter KB, the parameters for authentication NA encrypted using encryption parameter KB, session key KAB and time stamp T 1;To masters The encryption parameter KA for utilizing masters public key encryption is sent, the parameters for authentication NA, session key KAB encrypted using encryption parameter KA And bill TICKET;The bill TICKET is used for for obtaining the session key KAB after passive side's verifying to be unfolded to communicate.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, it is real It applies in passive side, quantum communications service station cryptographic key negotiation method includes:
It receives the bill TICKET from masters and generates the time stamp T 2 of received message, include benefit in bill TICKET Encryption parameter KB is generated with the service station of passive side's public key encryption, utilizes the certification of encryption parameter KB encryption generated by masters Parameter NA, the session key KAB and time stamp T 1 that service station generates;Decrypt the difference simultaneously between verification time stamp T1 and time stamp T 2 Value is less than or equal to preset value;Trust bill TICKET and generate parameters for authentication NB, sends to masters and added using session key KAB Close parameters for authentication NA and parameters for authentication NB;Parameters for authentication NA is used to authenticate for masters;
The parameters for authentication NB for utilizing session key KAB encryption from masters is obtained, is decrypted and after authentication verification parameter NB Trust session key KAB.
This application discloses based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, amount Sub- communication service station cryptographic key negotiation method includes:
Masters generate parameters for authentication NA, encryption parameter KR, and the certification encrypted using encryption parameter KR is sent to service station Parameter NA utilizes the encryption parameter KR of service station public key encryption;
Service station obtain and decrypt after generate session key KAB, encryption parameter KA, encryption parameter KB, current time when Between stab T1 and make bill TICKET, including the use of the encryption parameter KB of passive side's public key encryption in bill TICKET, using adding The parameters for authentication NA of close parameter KB encryption, session key KAB and time stamp T 1;It sends to masters and is added using masters public key Close encryption parameter KA, the parameters for authentication NA, session key KAB and bill TICKET encrypted using encryption parameter KA;
Masters obtain, trust session key KAB after decryption verification parameters for authentication NA to passive side's transmission bill TICKET;
Passive side obtains, decryption and the difference between verification time stamp T1 and time stamp T 2 are less than or equal to preset value;Trust Bill TICKET simultaneously generates parameters for authentication NB, sends to masters and utilizes the session key KAB parameters for authentication NA encrypted and certification Parameter NB;
Masters obtain, decrypt, trust session key KAB after authentication verification parameter NA;It is sent to passive side and utilizes session The parameters for authentication NB of key KAB encryption;
Passive side obtains, trusts session key KAB after decryption and authentication verification parameter NB.
In one embodiment, as described in Example 1, service station is divided into service station QA and service station QB, and masters are service It stands the sub- equipment of QA, passive side is the sub- equipment of service station QB;
Service station QA obtains the parameters for authentication NA encrypted using encryption parameter KR from masters, utilizes service station public key The encryption parameter KR of encryption;It decrypts and generates session key KAB and parameters for authentication NA and session key KAB encryption is sent to clothes Business station QB;
Service station QB generates encryption parameter KB after obtaining and decrypting, and the time stamp T 1 of current time simultaneously makes bill Including the use of the encryption parameter KB of passive side's public key encryption in TICKET, bill TICKET, recognizing for encryption parameter KB encryption is utilized Demonstrate,prove parameter NA, session key KAB and time stamp T 1;It is encrypted to service station QA and sends bill TICKET;
Service station QA is obtained and is decrypted to generate encryption parameter KA after obtaining bill TICKET, is sent to client using actively The encryption parameter KA of square public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and bill TICKET。
In one embodiment, session key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
This application discloses a kind of active method, apparatus, including memory and processor, memory to be stored with computer program, The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses a kind of service station equipments, including memory and processor, memory to be stored with computer program, The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses a kind of passive method, apparatus, including memory and processor, memory to be stored with computer program, The step of processor realizes quantum communications service station cryptographic key negotiation method in above-mentioned technical proposal when executing computer program.
This application discloses the quantum communications service station identity authorization systems based on unsymmetrical key pond, including are equipped with actively Side, passive side, service station and communication network;Masters are configured with masters key card, are stored with clothes in masters key card Business station public key pond, masters public key and masters private key;Passive side is configured with passive side's key card, moves storage in side's key card There are service station public key pond, passive side's public key and passive side's private key;Service station is configured with service station key card, service station key card Inside it is stored with service station private key pond, masters public key pond and passive side's public key pond;
Masters, passive side and service station realize that quantum communications service station is close in above-mentioned technical proposal by communication network The step of key machinery of consultation.
The practical realization scene of technical solution in the application can be at one based under unsymmetrical key pond body system Any two object A, B carry out mutual authentication.Each object has key card in the pool of keys system of the application, can The key for storing big data quantity also has the ability of processing information.In the application, all deposited in the local system of object A and object B In the algorithm of corresponding demand.
The description of key card is visible, and application No. is the patents of " 201610843210.6 ".When for mobile terminal, key card Preferably key SD card;When for fixed terminal, key card is preferably key USBkey or host key board.
With application No. is compared with the patent of " 201610843210.6 ", key card to issue mechanism different.This patent The key card side of issuing be key card supervisor side, the generally administrative department of group, such as the pipe of certain enterprise or public institution Reason department;The member's that the key card side of being awarded is managed by the supervisor side of key card, generally certain enterprise or public institution is each Grade employee.Supervisor side's application that user terminal arrives key card first is opened an account.After user terminal carries out registering granted, it will obtain close Key card (has unique key card ID).Key card stores client enrollment register information.Under same quantum communications service station Public key pond in client key card is all downloaded from down the same Key Management server, and its each client key card for issuing The public key pond of middle storage is completely the same.Preferably, the pool of keys size stored in key card can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..
Key card is developed from smart card techniques, is combined with cryptological technique, hardware security isolation technology, quantum The authentication of physics technology (in the case where carrying quantum random number generator) and encryption and decryption product.The embedded core of key card Piece and operating system can provide the functions such as secure storage and the cryptographic algorithm of key.Since it is with independent data processing energy Power and good safety, key card become the safety barrier of private key and pool of keys.Each key card has hardware PIN code guarantor Shield, PIN code and hardware constitute two necessary factors that user uses key card.I.e. so-called " double factor authentication, " user only has The key card and user's PIN code for saving relevant authentication information are obtained simultaneously, it just can be with login system.Even if the PIN code of user It is leaked, as long as the key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the key of user Card is lost, and the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.In short, key card makes key It is not appeared in the disk and memory of host with plaintext version Deng top secret information, so as to which the safety of top-secret information is effectively ensured.
In the application, key card is divided into service station key card and client (i.e. masters and passive side) key card.Such as Fig. 1 Shown, it is private that the key zone of service station key card is mainly stored with client (including masters and passive side) public key pond and service station Key pond;As shown in Fig. 2, the key zone of client (including masters and passive side) key card is mainly stored with service station public key pond With a pair of of public private key pair.The key card is issued by Key Management server.
Key Management server can select a kind of algorithm for not only having supported encryption and decryption but also support signature before issuing key card. Key Management server generates respective numbers according to the quantity of client and meets the number of the algorithm specification as private key and public key. Key Management server generates the ID of respective numbers, and chooses the public private key pair of respective numbers, and public key therein and ID is taken to carry out Combination obtains ID/ public key, and formation public key pond file in same file is written in the form of ID/ public key, i.e., above-mentioned client is public Key pond.Meanwhile corresponding private key is also written to formation private key pond file in file by Key Management server in an identical manner, That is client private key pond.The ID of each private key is identical as the ID of corresponding public key in client public key pond in client private key pond.It is close Key management server generates the number for largely meeting the algorithm specification as private key and public key again.Key Management server will be public Private key, which is respectively written into two files, forms service station public key pond and service station private key pond.Public key in the public key pond of service station with The private key of same position is corresponding in the private key pond of service station.The first key card issued is defined as service station by Key Management server Key card, and by service station private key pond and client public key pond and related algorithm parameter write-in key card key zone.Key The subsequent key card issued of management server is client key card.Key Management server random number selection one is unallocated ID distribute to key card, and public and private key and the service station public key pond of identical ID are taken from client public key pond and client private key pond The key zone of key card is written, relevant parameter is written in key card together.
In the specific embodiment of the application, masters are referred to customer end A, refer to passive side with customer end B.
Embodiment 1
System explanation
The scene of the present embodiment is as shown in figure 3, in this figure, including customer end A, that is, masters, customer end B, that is, passive side, clothes Business station includes quantum communications service station QA and quantum communications service station QB, referred to as service station QA and service station QB.QA and QB points It Dai You not respective Key Management server.Customer end A and customer end B are equipped with client key card, quantum communications service station QA and quantum communications service station QB is furnished with service station key card.Above-mentioned customer end A belongs to quantum communications service station QA, client B belongs to quantum communications service station QB, i.e. the key card of A, B is issued by the Key Management server of QA, QB respectively.If client Holding the ID of A is IDA, public key PKA, private key SKA;If the ID of customer end B is IDB, public key PKB, private key SKB.
Step 1: customer end A initiates the ID authentication request with customer end B to service station QA.
It includes IDA that customer end A, which generates in request Request, Request with the authentication of customer end B, | | IDB and Other necessary informations.Customer end A generates true random number KR and NA according to matched randomizer, and customer end A utilizes KR pairs Request and NA carry out symmetric cryptography and obtain { Request | | NA } KR.
Customer end A generates a true random number RI according to matched randomizer, and by true random number RI by non- Cipher key location pointer kpI is calculated in symmetric key pointer function fkp.Customer end A is according to cipher key location pointer from own key The public key PKQAI of service station QA is taken out in service station public key pond in card.Customer end A is encrypted to obtain using PKQAI to KR {KR}PKQAI。
Customer end A is by RI | | and Request | | NA } KR | | { KR } PKQAI is sent to service station QA.
Step 2: quantum communications service station QA forwards the request to quantum communications service station QB.
Service station QA is according to receiving RI | | and Request | | NA } KR | | after { KR } PKQAI, true random number RI is passed through non- Cipher key location pointer kpI is calculated in symmetric key pointer function fkp.Service station QA is according to cipher key location pointer from own key Own private key SKQAI is taken out in service station private key pond in card.Service station QA is decrypted { KR } PKQAI using SKQA1 To KR.Service station QA decrypts to obtain Request and NA using the obtained KR of decryption to { Request | | NA } KR.
Service station QA generates the session key KAB between customer end A and customer end B according to matched key card, utilizes QKD Negotiation key pair Request | | NA | | KAB } encrypted after be sent to QB.
Step 3: TICKET is sent back quantum communications service station QA by quantum communications service station QB.
Service station QB receives the message from service station QA, is decrypted to obtain Request using the key that QKD negotiates ||NA||KAB。
Service station QB generates a true random number KB, and using KB to Request | | NA | | KAB carries out symmetric cryptography.Together When be encrypted there are one service station QB obtain when time T1 as timestamp.Then service station QB is according in Request The public key PKB that IDB extracts customer end B in client public key pond encrypts KB, obtain Request | | NA | | KAB | | T1 } KB | | { KB } PKB is as TICKET.QA is sent to after being encrypted using the key pair TICKET that QKD negotiates.
Step 4: TICKET is sent to customer end A by quantum communications service station QA.
After service station QA receives the TICKET of QKD key encryption, after the decryption of QKD key, true random number KA is generated, Using KA to TICKET and Request | | NA | | KAB is encrypted.According to the IDA in Request in client public key pond The public key PKA for extracting customer end A encrypts KA.Will Request | | NA | | KAB | | TICKET } KA | | { KA } PKA is sent To customer end A.
Step 5: TICKET being sent to customer end B after customer end A verification information.
Customer end A decrypts to obtain KA using private key SKA, decrypts to obtain Request using KA | | NA | | KAB | | TICKET, Whether equal with local NA identify NA, if equal, trusts KAB as the session key communicated with user terminal B.Then will TICKET is sent to customer end B.
Step 6: the customer end B verification time stabs validity.
After customer end B receives TICKET, the local zone time T2 of received message is taken.It decrypts to obtain using the private key SKB of oneself KB decrypts to obtain Request using KB | | NA | | KAB | | T1.If the absolute value of the difference of T2 and T1 is not more than time threshold △ T, i.e., | T2-T1 |≤△ T, then it is effective for trusting TICKET.△ T may be configured as 10s.
Customer end B generates random number N B according to matched random number generator, is sent to client using KAB encryption NA and NB Hold A.
Step 7: customer end A Authentication Client B is simultaneously replied.
After customer end A receives { NA | | NB } KAB of customer end B transmission, decrypt to obtain NA and NB using KAB.Customer end A Whether equal with local NA identify NA, if equal, passes through the certification to user terminal B.Then customer end A encrypts NB using KAB It is sent to customer end B.
Step 8: customer end B completes the certification to customer end A.
After customer end B receives { NB } KAB of customer end A transmission, decrypt to obtain NB using KAB, whether customer end B identifies NB It is equal with local NB, if equal, pass through the certification to user terminal A.Negotiate the session key completed between confirmation and user terminal A For KAB.
Rapid 9: customer end A is securely communicated with user terminal B.
Customer end A and customer end B can carry out message encryption and decryption and message authentication using key KAB.Preferably, KAB is torn open It is divided into KABE and KABA, respectively as message encryption and decryption and message authentication key.
Embodiment 2
System explanation
The scene of the present embodiment as shown in figure 4, in this figure, including customer end A, that is, masters, customer end B, that is, passive side and Quantum communications service station Q, that is, service station, referred to as service station Q.Customer end A and customer end B are equipped with client key card, quantum Communication service station Q is furnished with service station key card.Above-mentioned key card is the same batch that the same Key Management server is issued Key card.If the ID of customer end A is IDA, public key PKA, private key SKA;If the ID of customer end B be IDB, public key PKB, Private key is SKB.
Step 1: customer end A initiates the ID authentication request with customer end B to service station Q.
It includes IDA that customer end A, which generates in request Request, Request with the authentication of customer end B, | | IDB and Other necessary informations.Customer end A generates true random number KR and NA according to matched randomizer, and customer end A utilizes KR pairs Request and NA carry out symmetric cryptography and obtain { Request | | NA } KR.
Customer end A generates a true random number R according to matched randomizer, and by true random number R by non-right Claim key indicator function fkp that cipher key location pointer kp is calculated.Customer end A is according to cipher key location pointer from own key card Service station public key pond in take out service station Q public key PKQ.Customer end A encrypts KR using PKQA to obtain { KR } PKQ.
Customer end A is by R | | and Request | | NA } KR | | { KR } PKQ is sent to service station Q.
Step 2: quantum communications service station Q generates session key and makes TICKET.
Service station Q is according to receiving R | | and Request | | NA } KR | | after { KR } PKQ, true random number R is passed through asymmetric Cipher key location pointer kp is calculated in key indicator function fkp.Service station Q is according to cipher key location pointer from own key card Own private key SKQ is taken out in the private key pond of service station.Service station Q is decrypted to obtain KR using SKQ to { KR } PKQ.Service station Q benefit { Request | | NA } KR is decrypted to obtain Request and NA with the obtained KR of decryption.
Service station Q generates the session key KAB between customer end A and customer end B according to matched key card, also generates two A key KA and KB.Using KB to Request | | NA | | KAB carries out symmetric cryptography, at the same be encrypted there are one service station Q It obtains when time T1 is as timestamp.Then service station Q extracts client in client public key pond according to the IDB in Request The public key PKB of end B encrypts KB, obtain Request | | NA | | KAB | | T1 } KB | | { KB } PKB is as TICKET.Then Service station Q is using KA to TICKET and Request | | NA | | KAB is encrypted.According to the IDA in Request in client The public key PKA that customer end A is extracted in public key pond encrypts KA.Will Request | | NA | | KAB | | TICKET } KA | | { KA } PKA is sent to customer end A.
Step 3: TICKET being sent to customer end B after customer end A verification information.
Customer end A decrypts to obtain KA using private key SKA, decrypts to obtain Request using KA | | NA | | KAB | | TICKET, Whether equal with local NA identify NA, if equal, trusts KAB as the session key communicated with user terminal B.Then will TICKET is sent to customer end B.
Step 4: the customer end B verification time stabs validity.
After customer end B receives TICKET, the local zone time T2 of received message is taken.It decrypts to obtain using the private key SKB of oneself KB decrypts to obtain Request using KB | | NA | | KAB | | T1.If the absolute value of the difference of T2 and T1 is not more than preset value, immediately Between threshold value △ T, | T2-T1 |≤△ T, then it is effective for trusting TICKET.△ T may be configured as 10s.
Customer end B generates random number N B according to matched random number generator, is sent to client using KAB encryption NA and NB Hold A.
Step 5: customer end A Authentication Client B is simultaneously replied.
After customer end A receives { NA | | NB } KAB of customer end B transmission, decrypt to obtain NA and NB using KAB.Customer end A Whether equal with local NA identify NA, if equal, passes through the certification to user terminal B.Then customer end A encrypts NB using KAB It is sent to customer end B.
Step 6: customer end B completes the certification to customer end A.
After customer end B receives { NB } KAB of customer end A transmission, decrypt to obtain NB using KAB, whether customer end B identifies NB It is equal with local NB, if equal, pass through the certification to user terminal A.Negotiate the session key completed between confirmation and user terminal A For KAB.
Step 7: customer end A is securely communicated with user terminal B.
Customer end A and customer end B can carry out message encryption and decryption and message authentication using key KAB.Preferably, KAB is torn open It is divided into KABE and KABA, respectively as message encryption and decryption and message authentication key.
Wherein implement according in the available claim of conclusion of the specific steps of technical solution disclosed above in master Dynamic side based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement the base in passive side In unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method and implement in service station based on non- Pool of symmetric keys to and timestamp quantum communications service station cryptographic key negotiation method, therefore repeat no more.
Specific restriction about active method, apparatus, passive method, apparatus and service station equipment and system may refer to above In restriction for quantum communications service station authentication method, details are not described herein.Modules in above-mentioned each equipment can be whole Or part is realized by software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of computer In processor in equipment, it can also be stored in a software form in the memory in computer equipment, in order to processor tune With the corresponding operation of the above modules of execution.
In one embodiment, a kind of computer equipment is provided, which can be server, internal junction Composition can be as shown in Figure 3.The computer equipment include by system bus connect processor, memory, network interface and Database.Wherein, the processor of the computer equipment is for providing calculating and control ability.The memory packet of the computer equipment Include non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system, computer program and data Library.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The calculating The database of machine equipment is used to store the related data of authentication.The network interface of the computer equipment is used for and external end End passes through network connection communication.When the computer program is executed by processor with realize be based on unsymmetrical key pond to and timestamp Quantum communications service station cryptographic key negotiation method.
It will be understood by those skilled in the art that structure shown in Fig. 3, only part relevant to application scheme is tied The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, To any reference of memory, storage, database or other media used in each embodiment provided herein, Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (10)

1. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement in masters, It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
Parameters for authentication NA, encryption parameter KR are generated, the parameters for authentication NA encrypted using encryption parameter KR is sent to service station, is utilized The encryption parameter KR of service station public key encryption;The parameters for authentication NA is used to generate bill TICKET for the service station, described Bill TICKET is used to verify for passive side;
The encryption parameter KA using masters public key encryption from service station is obtained, the certification using encryption parameter KA encryption is joined Number NA, session key KAB and bill TICKET, the session key KAB are generated by the service station;It decrypts and verifies described Session key KAB is trusted after parameters for authentication NA sends the bill TICKET to passive side;The bill TICKET is used for for institute State passive side's verifying;
Obtain the parameters for authentication NA and parameters for authentication NB encrypted using session key KAB from passive side, the parameters for authentication NB is generated by the passive side;Session key KAB is trusted after decryption, authentication verification parameter NA;It is sent to passive side and utilizes session The parameters for authentication NB of key KAB encryption, the parameters for authentication NB are verified for passive side and are trusted session key KAB.
2. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement in service station, It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
The parameters for authentication NA encrypted using encryption parameter KR from masters is obtained, is joined using the encryption of service station public key encryption Number KR;The parameters for authentication NA, encryption parameter KR are generated by the masters;Session key KAB, encryption parameter KA are generated, Encryption parameter KB, the time stamp T 1 of current time simultaneously make bill TICKET, including the use of passive side in the bill TICKET The encryption parameter KB of public key encryption, the parameters for authentication NA encrypted using encryption parameter KB, session key KAB and time stamp T 1; The encryption parameter KA for utilizing masters public key encryption is sent to the masters, the parameters for authentication encrypted using encryption parameter KA NA, session key KAB and bill TICKET.
3. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, implement in passive side, It is characterized in that, quantum communications service station cryptographic key negotiation method includes:
It receives the bill TICKET from masters and generates the time stamp T 2 of received message, include benefit in the bill TICKET Encryption parameter KB is generated with the service station of passive side's public key encryption, utilizes the certification of encryption parameter KB encryption generated by masters Parameter NA, the session key KAB and time stamp T 1 that service station generates;It decrypts and verifies between the time stamp T 1 and time stamp T 2 Difference be less than or equal to preset value;Trust bill TICKET and generate parameters for authentication NB, Xiang Suoshu masters are sent described in utilization The parameters for authentication NA and parameters for authentication NB of session key KAB encryption;The parameters for authentication NA is used to authenticate for masters;
The parameters for authentication NB for utilizing session key KAB encryption from masters is obtained, decrypt and is trusted after authentication verification parameter NB Session key KAB.
4. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, which is characterized in that it is described Quantum communications service station cryptographic key negotiation method includes:
Masters generate parameters for authentication NA, encryption parameter KR, and the parameters for authentication encrypted using encryption parameter KR is sent to service station NA utilizes the encryption parameter KR of service station public key encryption;
Service station generates session key KAB, encryption parameter KA, encryption parameter KB, the timestamp of current time after obtaining and decrypting T1 simultaneously makes bill TICKET, including the use of the encryption parameter KB of passive side's public key encryption in the bill TICKET, using adding The parameters for authentication NA of close parameter KB encryption, session key KAB and time stamp T 1;It is sent to the masters public using masters The encryption parameter KA of key encryption, the parameters for authentication NA, session key KAB and bill TICKET encrypted using encryption parameter KA;
The masters obtain, trust session key KAB after parameters for authentication NA described in decryption verification to passive side's transmission ticket According to TICKET;
The passive side, which obtains, decrypts and verifies the difference between the time stamp T 1 and time stamp T 2, is less than or equal to preset value; Trust bill TICKET and generate parameters for authentication NB, Xiang Suoshu masters send the certification using session key KAB encryption Parameter NA and parameters for authentication NB;
The masters obtain, decrypt, trust session key KAB after authentication verification parameter NA;It is sent to passive side and utilizes session The parameters for authentication NB of key KAB encryption;
The passive side obtains, trusts session key KAB after decryption and authentication verification parameter NB.
5. such as the described in any item quantum communications service station cryptographic key negotiation methods of Claims 1-4, which is characterized in that the clothes Business station is divided into service station QA and service station QB, and the masters are the sub- equipment of service station QA, and the passive side is service station QB Sub- equipment;
The service station QA obtains the parameters for authentication NA encrypted using encryption parameter KR from masters, utilizes service station public key The encryption parameter KR of encryption;It decrypts and generates the session key KAB and encrypt the parameters for authentication NA and session key KAB It is sent to the service station QB;
The service station QB generates encryption parameter KB after obtaining and decrypting, and the time stamp T 1 of current time simultaneously makes bill Including the use of the encryption parameter KB of passive side's public key encryption in TICKET, the bill TICKET, encrypted using encryption parameter KB Parameters for authentication NA, session key KAB and time stamp T 1;The bill TICKET is sent to service station QA encryption;
The service station QA is obtained and is decrypted to generate encryption parameter KA after obtaining the bill TICKET, is sent and is utilized to client The encryption parameter KA of masters public key encryption, the parameters for authentication NA encrypted using encryption parameter KA, session key KAB and bill TICKET。
6. such as the described in any item quantum communications service station cryptographic key negotiation methods of Claims 1-4, which is characterized in that the meeting Words key KAB splits into message encryption and decryption key KABE and message authentication key KABA.
7. a kind of active method, apparatus, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station key agreement side described in claim 1 when executing the computer program The step of method.
8. a kind of service station equipment, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station key agreement side described in claim 2 when executing the computer program The step of method.
9. a kind of passive method, apparatus, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station key agreement side described in claim 3 when executing the computer program The step of method.
10. based on unsymmetrical key pond to and timestamp quantum communications service station cryptographic key negotiation method, which is characterized in that including Equipped with masters, passive side, service station and communication network;The masters are configured with masters key card, the masters Service station public key pond, masters public key and masters private key are stored in key card;The passive side is close configured with passive side Key card is stored with service station public key pond, passive side's public key and passive side's private key in dynamic side's key card;Match in the service station It is equipped with service station key card, service station private key pond, masters public key pond and passive side are stored in the service station key card Public key pond;
The masters, passive side and service station realize that quantum communications described in claim 4 take by the communication network The step of business station cryptographic key negotiation method.
CN201910325032.1A 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp Active CN110086627B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910325032.1A CN110086627B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910325032.1A CN110086627B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Publications (2)

Publication Number Publication Date
CN110086627A true CN110086627A (en) 2019-08-02
CN110086627B CN110086627B (en) 2023-08-04

Family

ID=67416078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910325032.1A Active CN110086627B (en) 2019-04-22 2019-04-22 Quantum communication service station key negotiation method and system based on asymmetric key pool pair and time stamp

Country Status (1)

Country Link
CN (1) CN110086627B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245609A (en) * 2020-01-17 2020-06-05 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160044007A1 (en) * 2013-03-28 2016-02-11 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method and device for establishing session keys
CN105763563A (en) * 2016-04-19 2016-07-13 浙江神州量子网络科技有限公司 Identity authentication method during quantum secret key application process
CN106357396A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 Digital signature method, digital signature system and quantum key card
US20170338951A1 (en) * 2016-05-19 2017-11-23 Alibaba Group Holding Limited Method and system for secure data transmission
CN108574569A (en) * 2017-03-08 2018-09-25 中国移动通信有限公司研究院 A kind of authentication method and authentication device based on quantum key
CN108768653A (en) * 2018-03-01 2018-11-06 如般量子科技有限公司 Identity authorization system based on quantum key card
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160044007A1 (en) * 2013-03-28 2016-02-11 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method and device for establishing session keys
CN105763563A (en) * 2016-04-19 2016-07-13 浙江神州量子网络科技有限公司 Identity authentication method during quantum secret key application process
US20170338951A1 (en) * 2016-05-19 2017-11-23 Alibaba Group Holding Limited Method and system for secure data transmission
CN107404461A (en) * 2016-05-19 2017-11-28 阿里巴巴集团控股有限公司 Data safe transmission method, client and service end method, apparatus and system
CN106357396A (en) * 2016-09-23 2017-01-25 浙江神州量子网络科技有限公司 Digital signature method, digital signature system and quantum key card
CN108574569A (en) * 2017-03-08 2018-09-25 中国移动通信有限公司研究院 A kind of authentication method and authentication device based on quantum key
CN108768653A (en) * 2018-03-01 2018-11-06 如般量子科技有限公司 Identity authorization system based on quantum key card
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DENIS BUTIN: "Post-quantum authentication in OpenSSL with hash-based signatures" *
魏振宇;芦翔;史庭俊;: "基于PKI体系的跨域密钥协商协议" *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245609A (en) * 2020-01-17 2020-06-05 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof
CN111245609B (en) * 2020-01-17 2023-02-28 南京如般量子科技有限公司 Secret sharing and random number based quantum secret communication key distribution and negotiation system and method thereof

Also Published As

Publication number Publication date
CN110086627B (en) 2023-08-04

Similar Documents

Publication Publication Date Title
CN1689297B (en) Method of preventing unauthorized distribution and use of electronic keys using a key seed
CN106357401B (en) A kind of storage of private key and application method
US6073237A (en) Tamper resistant method and apparatus
JP4866863B2 (en) Security code generation method and user device
CN104184743B (en) Towards three layers of Verification System and authentication method of cloud computing platform
Rezaeighaleh et al. New secure approach to backup cryptocurrency wallets
CN110519046A (en) Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
US11831753B2 (en) Secure distributed key management system
CN110138548A (en) Based on unsymmetrical key pond to and DH agreement quantum communications service station cryptographic key negotiation method and system
CN101815091A (en) Cipher providing equipment, cipher authentication system and cipher authentication method
CN111274599A (en) Data sharing method based on block chain and related device
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN105653986A (en) Micro SD card-based data protection method and device
CN110135175A (en) Information processing, acquisition methods, device, equipment and medium based on block chain
CN109347813A (en) Internet of things equipment login method, system, computer equipment and storage medium
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN108537537A (en) A kind of safe and reliable digital cash Wallet System
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
KR20090019576A (en) Certification method and system for a mobile phone
US20120284787A1 (en) Personal Secured Access Devices
CN113643134A (en) Internet of things block chain transaction method and system based on multi-key homomorphic encryption
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
CN108667801A (en) A kind of Internet of Things access identity safety certifying method and system
CN110493177A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant