CN110176989A - Quantum communications service station identity identifying method and system based on unsymmetrical key pond - Google Patents

Quantum communications service station identity identifying method and system based on unsymmetrical key pond Download PDF

Info

Publication number
CN110176989A
CN110176989A CN201910402444.0A CN201910402444A CN110176989A CN 110176989 A CN110176989 A CN 110176989A CN 201910402444 A CN201910402444 A CN 201910402444A CN 110176989 A CN110176989 A CN 110176989A
Authority
CN
China
Prior art keywords
key
service station
authentication
parameters
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910402444.0A
Other languages
Chinese (zh)
Other versions
CN110176989B (en
Inventor
富尧
钟一民
余秋炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910402444.0A priority Critical patent/CN110176989B/en
Publication of CN110176989A publication Critical patent/CN110176989A/en
Application granted granted Critical
Publication of CN110176989B publication Critical patent/CN110176989B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

This application involves a kind of quantum communications service station identity identifying method and system based on unsymmetrical key pond, in the application, the key card used is independent hardware isolated equipment.A possibility that public key, private key and other relevant parameters are stored in the data safety area in key card, steal key by Malware or malicious operation substantially reduces, and will not be obtained and be cracked by quantum computer.Since, without the transmitting of public and private key and algorithm parameter is related to, the risk that unsymmetrical key is cracked is very low in classic network, in addition, encrypted transmission message is carried out using QKD between service station and service station, so the safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly improves the safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key storage pressure to quantum communications service station simultaneously, reduces carrying cost.

Description

Quantum communications service station identity identifying method and system based on unsymmetrical key pond
Technical field
This application involves safety communication technology fields, more particularly to the quantum communications service station based on unsymmetrical key pond Identity identifying method and system.
Background technique
The Internet of rapid development brings huge convenience to people's lives, work, and people can be sitting in family It sent and received e-mail, made a phone call by Internet, carrying out the activities such as shopping online, bank transfer.The network information security simultaneously It is increasingly becoming a potential huge problem.In general the network information is faced with following several security risks: the network information It is stolen, information is tampered, attacker palms off information, malicious sabotage etc..
Wherein authentication is a kind of means of one of protection people's network information.Authentication is also referred to as " identity Verifying " or " identity identification ", refer to the process of confirmation operation person's identity in computer and computer network system, so that it is determined that Whether the user has access and access right to certain resource, and then enables the access strategy of computer and networks system It reliably and efficiently executes, prevents attacker from palming off the access authority that legitimate user obtains resource, guarantee the peace of system and data Entirely, and authorization visitor legitimate interests.
And currently ensure that authentication successfully mainly relies on cryptographic technique, and in field of cryptography of today, it is main Will there are two types of cryptographic system, first is that symmetric key cryptosystem, i.e. encryption key and decruption key use it is same.The other is Public key cryptosystem, i.e. encryption key and decruption key difference, one of them can be disclosed.Current most identity is recognized Card relies primarily on public key cryptography system using algorithm.
The encryption key pair (public key) and decryption key (private key) that Public Key Cryptographic Systems uses are different.Due to encryption Key be it is disclosed, the distribution of key and management are just very simple, and Public Key Cryptographic Systems can also be easily carried out number Signature.
Since public key encryption comes out, scholars propose many kinds of public key encryption methods, their safety is all base In complicated difficult math question.Classified according to the difficult math question being based on, have following three classes system be presently believed to be safety and It is effective: big integer factorization system (representative to have RSA), Discrete log systems (representative to have DSA) and ellipse from It dissipates Logarithmic system (ECC).
But with the development of quantum computer, classical asymmetric-key encryption algorithm will be no longer safe, no matter encryption and decryption Or private key can be calculated in key exchange method, quantum computer by public key, therefore currently used asymmetric close Key will become cannot withstand a single blow in the quantum epoch.Quantum key distribution equipment QKD can ensure that the key of negotiation can not be acquired at present. But QKD is mainly used for quantum main line, ustomer premises access equipment to quantum communications service station is still classic network, therefore by non-right Claim algorithm it is difficult to ensure that authentication procedures safety.
Problem of the existing technology:
1. using pool of symmetric keys between quantum communications service station and quantum key card, capacity is huge, to quantum communications The key storage in service station brings pressure;
2. quantum communications service station, which has to encrypt key, to be stored in commonly since pool of symmetric keys key capacity is huge In storage medium such as hard disk, and it can not be stored in the key card in quantum communications service station;
3. causing trouble to cipher key backup since pool of symmetric keys key capacity is huge.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide it is a kind of can reduce service station storage data quantity based on The quantum communications service station identity identifying method in unsymmetrical key pond.
Quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in masters, and the quantum is logical Telecommunications services station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 is sent to service station, and utilizes service station public key encryption The first key KR1;The first parameters for authentication X is used to generate first for passive side after service station is forwarded to passive side Signature;
The 4th key KR4 of utilization masters public key encryption from service station is obtained, is encrypted using the 4th key KR4 The first parameters for authentication X, passive side provide the second parameters for authentication Y and second signature;Second signature is that service station is recognized Card is generated after the first signature from passive side using the first parameters for authentication X and the second parameters for authentication Y;
After decrypting and verifying second signature, third label are generated using the first parameters for authentication X and the second parameters for authentication Y Name;
The 5th key KR5 using service station public key encryption is sent to the service station and utilizes the 5th key KR5 The first parameters for authentication X, the second parameters for authentication Y of encryption and third signature;The third signature is in the service The 4th for generating after authenticating and authenticating for passive side that stand signs.
Quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in passive side, and the quantum is logical Telecommunications services station authentication method includes:
Obtain the first parameters for authentication X and utilization that the masters of utilization the second key KR2 encryption from service station provide Second key KR2 of passive side's public key encryption, the second parameters for authentication Y generated using the first parameters for authentication X and one's own side are raw At the first signature;
It sends to service station using the third key KR3 of service station public key encryption and is encrypted using the third key KR3 The first parameters for authentication X, the second parameters for authentication Y and first signature;First signature is for after the certification of the service station Generate the second signature authenticated for masters;
The 6th key KR6 using passive side's public key encryption from service station is obtained, the 6th key KR6 encryption is utilized The signature of first parameters for authentication X, the second parameters for authentication Y and the 4th;4th signature is service station certification from masters It is generated after third signature using the first parameters for authentication X and the second parameters for authentication Y, the third signature is masters certification described the It is generated after two signatures;
It decrypts and verifies the 4th signature.
Quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in service station, and the quantum is logical Telecommunications services station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 from masters is obtained, and utilizes service station public key Encryption the first key KR1, decrypt and to passive side send using the second key KR2 encrypt the first parameters for authentication X and Utilize the second key KR2 of passive side's public key encryption;
Obtain the third key KR3 and the utilization third key KR3 using service station public key encryption from passive side First parameters for authentication X of encryption, the signature of the second parameters for authentication Y and first that passive side provides, decrypts and verifies described first After signing successfully, the second signature is generated using first parameters for authentication X the second parameters for authentication Y, is sent to masters and utilizes masters 4th key KR4 of public key encryption and the first parameters for authentication X using the 4th key KR4 encryption, the second parameters for authentication Y and the Two signatures;
Obtain the 5th key KR5 and utilization the 5th key KR5 using service station public key encryption from masters The third signature that the first parameters for authentication X, the second parameters for authentication Y and masters of encryption are provided, decrypts and verifies the third After signing successfully, the 4th signature for passive side verifying is generated using first parameters for authentication X the second parameters for authentication Y, to quilt Dynamic side sends the 6th key KR6 using passive side's public key encryption and the first parameters for authentication X using the 6th key KR6 encryption, The signature of second parameters for authentication Y and the 4th.
Quantum communications service station identity identifying method based on unsymmetrical key pond, quantum communications service station authenticating party Method includes:
Active direction service station send the first information, the first information encrypted including the use of first key KR1 first The parameters for authentication X and first key KR1 for utilizing service station public key encryption;
The service station, which obtains and decrypts the first information Bao Houxiang passive side, sends the second information, second information Including the use of the second key KR2 the first parameters for authentication X encrypted and utilize the second key KR2 of passive side's public key encryption;
The passive side obtains and generates the second parameters for authentication Y after decrypting second information and utilize first certification Parameter X and the second parameters for authentication Y generates the first signature, sends third information to service station, the third information is including the use of clothes The third key KR3 of business station public key encryption and the first parameters for authentication X encrypted using the third key KR3, the second certification ginseng The signature of number Y and first;
The service station obtain, decrypt the third information and verify described first sign successfully after, utilize first to authenticate Parameter X the second parameters for authentication Y generates the second signature, sends the 4th information to masters, the 4th information is including the use of actively 4th key KR4 of square public key encryption and the first parameters for authentication X using the 4th key KR4 encryption, the second parameters for authentication Y and Second signature;
The masters obtain, decrypt the 4th information and verify described second sign successfully after, utilize first to authenticate Parameter X, the second parameters for authentication Y generate third signature;To the service station send the 5th information, the 5th information including the use of 5th key KR5 of service station public key encryption and the first parameters for authentication X using the 5th key KR5 encryption, the second certification Parameter Y and third signature;
The service station obtains, decrypts the 5th information and verifies after the third sign successfully, utilizes first to authenticate Parameter X the second parameters for authentication Y generates the 4th signature for passive side verifying, sends the 6th information to passive side, and described the Sixth key KR6 of six information including the use of passive side's public key encryption and the first parameters for authentication using the 6th key KR6 encryption X, the second parameters for authentication Y and the 4th signature;
The passive side obtains, decrypts the 6th information and verify the 4th signature.
Further, the quantum communications service station identity based on unsymmetrical key pond is recognized in the above-mentioned technical solutions Card method, first signature are generated using passive side's private key;Second signature and the 4th signature utilize service station side Private key generates;The third signature is generated using masters private key.
Further, the quantum communications service station identity based on unsymmetrical key pond is recognized in the above-mentioned technical solutions Card method, the masters are configured with masters key card, are stored with service station public key, masters in the masters key card Public key and masters private key;The passive side is configured with passive side's key card, is stored with service station in dynamic side's key card Public key, passive side's public key and passive side's private key;The service station is configured with service station key card, in the service station key card It is stored with service station private key, masters public key and passive side's public key.
The application also provides a kind of active method, apparatus, including memory and processor, and the memory is stored with computer Program, the processor realize above-mentioned quantum communications service station described herein authentication method when executing the computer program The step of.
The application also provides a kind of passive method, apparatus, including memory and processor, and the memory is stored with computer Program, the processor realize the step of quantum communications service station described herein authentication method when executing the computer program Suddenly.
The application also provides a kind of service station equipment, including memory and processor, and the memory is stored with computer Program, the processor realize the step of quantum communications service station described herein authentication method when executing the computer program Suddenly.
The application also provides the quantum communications service station identity authorization system based on unsymmetrical key pond, including is equipped with actively Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card It is stored with service station public key, masters public key and masters private key;The passive side is configured with passive side's key card, described dynamic Service station public key, passive side's public key and passive side's private key are stored in square key card;The service station is close configured with service station Key card is stored with service station private key, masters public key and passive side's public key in the service station key card;
The masters, passive side and service station realize that quantum communications described herein take by the communication network The step of business station authentication method.
In the application, the key card used is independent hardware isolated equipment.Public key, private key and other relevant parameters are deposited A possibility that storing up the data safety area in key card, stealing key by Malware or malicious operation substantially reduces, will not It is obtained and is cracked by quantum computer.It is non-since nothing is related to the transmitting of public and private key and algorithm parameter in classic network The risk that symmetric key is cracked is very low, in addition, encrypted transmission message is carried out using QKD between service station and service station, so The safety of message is greatly ensured.Key card has ensured communication security of the communicating pair in group, also greatly mentions The high safety of authentication.Unsymmetrical key pond solves pool of symmetric keys and brings key to quantum communications service station simultaneously Pressure is stored, carrying cost is reduced.For example, the pool of symmetric keys size of original client is 1G, client number is N, Then quantum communications service station needs to store the pool of keys of N*G, and if storage unsymmetrical key pond, it is big that client stores pool of keys Small to be similarly 1G, quantum communications service station equally only needs to store the pool of keys of 1G size.
Detailed description of the invention
Fig. 1 is the pool of keys distribution schematic diagram of service station key card in the application;
Fig. 2 is the pool of keys distribution schematic diagram of client key card in the application;
Fig. 3 is that masters and passive side are connected to the authentication process figure under same service station;
Fig. 4 is that masters and passive side are connected to the authentication process figure under different service stations.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not For limiting the application.Wherein the service station in the application is quantum communications service station in the case where not doing specified otherwise, Each title in the application is subject to letter and number and is combined, such as Q, service station Q, service station indicate same meaning below, That is service station Q;Such as first key KR1 again, KR1, true random number KR1, first key hereinafter indicate same meaning, i.e., One key KR1, remaining title is similarly.In concrete application scene, for ease of description, masters are assumed to be customer end A, passively Side is assumed to be customer end B, and service station is service station Q.If the ID of customer end A is IDA, customer end A public key is PKA, and customer end A is private Key is SKA;If the ID of customer end B is IDB, customer end B public key is PKB, and customer end B private key is SKB.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment, Implementing the quantum communications service station authentication method in masters includes:
The the first parameters for authentication X encrypted using first key KR1 is sent to service station, and utilizes service station public key encryption First key KR1;First parameters for authentication X is used to after service station is forwarded to passive side generate the first signature for passive side;
The 4th key KR4 of utilization masters public key encryption from service station is obtained, the encrypted using the 4th key KR4 One parameters for authentication X, the signature of the second parameters for authentication Y and second S2 that passive side provides;Second signature S2 is that service station certification comes It is generated from after the first signature of passive side using the first parameters for authentication X and the second parameters for authentication Y;
After decrypting and verifying the second signature, third is generated using the first parameters for authentication X and the second parameters for authentication Y and is signed;
The for sending the 5th key KR5 using service station public key encryption to service station and being encrypted using the 5th key KR5 One parameters for authentication X, the second parameters for authentication Y and third signature;Third signature after service station authenticates for generating for passive side 4th signature of certification.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client B, service station are service station Q.Wherein customer end A is acted as follows:
The request Req with the authentication of customer end B is generated, requests in Req to include A | | B and other necessary informations, example Such as generate the ID that uniqueness random number is requested as this;
The first parameters for authentication X and first key KR1 is generated, wherein the first parameters for authentication X and first key KR1 is truly random Number carries out symmetric cryptography to request Req and the first parameters for authentication X using KR1 and obtains { Req | | X } KR1;
It is produced as the first signature parameter R1 of true random number, and the first signature parameter R1 is passed through into unsymmetrical key pointer letter Cipher key location pointer kp1 is calculated in number fkp;It is taken from the service station public key pond in memory according to cipher key location pointer kp1 Service station public key PKQ1 out;First key KR1 is encrypted using service station public key PKQ1 to obtain { KR1 } PKQ1;
Combine R1, { Req | | X } KR1 and { KR1 } PKQ1 to obtain R1 | | and Req | | X } KR1 | | { KR1 } PKQ1.Customer end A By R1 | | and Req | | X } KR1 | | { KR1 } PKQ1 is sent to service station Q;R1 | | and Req | | X } KR1 | | { KR1 } PKQ1 is used for through taking Business station Q is forwarded to after customer end B and generates the first signature S1 for customer end B;
Receive service station Q forwarding ID authentication request reply Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA is simultaneously Parsing obtain Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA;{ KR4 } PKA is decrypted to obtain using customer end A private key SKA 4th key KR4;Using the 4th key KR4 to Req | | Y | | X | | S2 | | R3 } KR4 decrypt to obtain Req | | Y | | X | | S2 | | R3;
Wherein the second parameters for authentication Y is provided by customer end B, and third signature parameter R3 is the first signature of service station Q certification S1 The true random number generated afterwards, and for cipher key location pointer kp3 to be calculated by unsymmetrical key pointer function fkp; Cipher key location pointer kp3 takes out from the service station private key pond in memory for providing service station Q according to cipher key location pointer Service station private key SKQ3;Service station private key SKQ3 is for providing service station Q to Req | | Y | | X is signed to obtain the second signature S2;
Cipher key location pointer kp3 is calculated by unsymmetrical key pointer function fkp in third signature parameter R3;According to Cipher key location pointer takes out service station public key PKQ3 from the service station public key pond in memory;Utilize service station public key PKQ3 To Req | | Y | | the second signature S2 of X is verified;If the verification passes, then it carries out in next step, on the contrary then authentication fails;
Using customer end A private key SKA to Req | | X | | Y is signed to obtain third signature S3;
A the 5th key KR5 is generated, and using the 5th key KR5 to Req | | X | | Y | | S3 carries out symmetric cryptography and obtains {Req||X||Y||S3}KR5;A the 4th signature parameter R4 is generated again, and the 4th signature parameter R4 is passed through into unsymmetrical key Cipher key location pointer kp4 is calculated in pointer function fkp;According to cipher key location pointer kp4 from the service station in memory Public key PKQ4 in service station is taken out in public key pond;The 5th key KR5 is encrypted to obtain { KR5 } using service station public key PKQ4 PKQ4;
By R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQ4 combine to obtain R4 | | Req | | X | | Y | | S3 KR5 | | {KR5}PKQ4;R4 will be replied | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQ4 is sent to service station Q;Wherein third signature S3 The 4th signature S4 authenticated for customer end B is generated after service station Q certification.
Above-mentioned implementation includes in method, by carrying out to technical characteristic in the quantum communications service station authentication method of masters It rationally derives, realizes the beneficial effect for the technical issues of being able to solve proposed in background technique.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment, Implementing the quantum communications service station authentication method in passive side includes:
Obtain the first parameters for authentication X and utilization that the masters of utilization the second key KR2 encryption from service station provide Second key KR2 of passive side's public key encryption generates the using the second parameters for authentication Y that the first parameters for authentication X and one's own side generate One signature;
The for sending the third key KR3 using service station public key encryption to service station and being encrypted using third key KR3 The signature of one parameters for authentication X, the second parameters for authentication Y and first;First signature after service station authenticates for generating for masters Second signature of certification;
The 6th key KR6 using passive side's public key encryption from service station is obtained, the 6th key KR6 encryption is utilized The signature of first parameters for authentication X, the second parameters for authentication Y and the 4th;4th signature is third of the service station certification from masters It is generated after signature using the first parameters for authentication X and the second parameters for authentication Y, third signature is raw after masters certification second is signed At;
It decrypts and verifies the 4th signature.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client B, service station are service station Q.Wherein customer end B is acted as follows:
Receive ID authentication request { Req | | X } KR2 of service station Q forwarding | | { KR2 } PKB and parsing obtain Req | | X } KR2 and { KR2 } PKB;{ KR2 } PKB is decrypted using customer end B private key SKB to obtain the second key KR;Utilize the second key KR2 decrypts { Req | | X } KR2 to obtain request Req and the first parameters for authentication X;
Generating the second parameters for authentication Y, the second parameters for authentication Y is true random number;Using customer end B private key SKB to Req | | Y | | X is signed to obtain the first signature S1;
It is produced as the third key KR3 of true random number, and using third key KR3 to Req | | Y | | X | | S1 carries out symmetrical Encryption obtain Req | | Y | | X | | S1 KR3;It is produced as the second signature parameter R2 of true random number again, and by the second signature parameter Cipher key location pointer kp2 is calculated by unsymmetrical key pointer function fkp in R2;According to cipher key location pointer kp2 from itself Public key PKQ2 in service station is taken out in service station public key pond in memory.;Using service station public key PKQ2 to third key KR3 into Row encryption obtains { KR3 } PKQ2;By R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQ2 combine to obtain R2 | | Req | | Y | | X | |S1}KR3||{KR3}PKQ2;R2 is replied into request | | and Req | | Y | | X | | S1 } KR3 | | { KR3 } PKQ2 is sent to service station Q;
Wherein the first signature S1 is used to after service station Q certification generate the second signature S2 authenticated for customer end A;
Receive service station Q forwarding ID authentication request reply Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB is simultaneously Parsing obtain Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB;{ KR6 } PKB is decrypted to obtain using customer end B private key SKB 6th key KR6;Using the 6th key KR6 to Req | | X | | Y | | S4 | | R5 } KR6 decrypt to obtain Req | | X | | Y | | S4 | | R5; Wherein the 4th signature S4 is generated after service station Q authenticates the third signature S3 from customer end A, and third signature S3 is customer end A It is generated after the second signature of certification S2;
Cipher key location pointer kp5 is calculated by unsymmetrical key pointer function fkp in 5th signature parameter R5;According to Cipher key location pointer kp5 takes out service station public key PKQ5 from the service station public key pond in memory;Utilize service station public affairs Key PKQ5 is to Req | | X | | the 4th signature S4 of Y is verified.If the verification passes, then carry out authentication success, it is on the contrary then Authentication failure.
Above-mentioned implementation includes in method, by carrying out to technical characteristic in the quantum communications service station authentication method of passive side It rationally derives, realizes the beneficial effect for the technical issues of being able to solve proposed in background technique.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment, Implement in service station, quantum communications service station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 from masters is obtained, and utilizes service station public key The first key KR1 of encryption is decrypted and is sent the first parameters for authentication X and the utilization using the second key KR2 encryption to passive side Second key KR2 of passive side's public key encryption;
Obtain encrypting using the third key KR3 of service station public key encryption and using third key KR3 from passive side The first parameters for authentication X, passive side provide the second parameters for authentication Y and first signature, decrypt and verify the first signature success Afterwards, the second signature is generated using first parameters for authentication X the second parameters for authentication Y, is sent to masters and utilizes masters public key encryption The 4th key KR4 and using the 4th key KR4 encryption the first parameters for authentication X, the second parameters for authentication Y and second signature;
Obtain encrypting using the 5th key KR5 of service station public key encryption and using the 5th key KR5 from masters The first parameters for authentication X, the second parameters for authentication Y and masters provide third signature, decrypt and verify third and sign successfully Afterwards, the 4th signature verified for passive side is generated using first parameters for authentication X the second parameters for authentication Y, is sent and is utilized to passive side 6th key KR6 of passive side's public key encryption and the first parameters for authentication X, the second parameters for authentication Y encrypted using the 6th key KR6 And the 4th signature.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client B, service station are service station Q.Wherein service station Q is acted as follows:
Receive the request R1 that customer end A is sent | | { Req | | X } KR1 | | { KR1 } PKQ1 parses to obtain R1, { Req | | X } KR1 and { KR1 } PKQ1;Cipher key location pointer is calculated by unsymmetrical key pointer function fkp in first signature parameter R1 kp1;Private key SKQ1 in service station is taken out from the service station private key pond in memory according to cipher key location pointer kp1;Utilize service The private key SKQ1 that stands is decrypted to obtain first key KR1 to { KR1 } PKQ1;Using the obtained first key KR1 of decryption to Req | | X } KR1 decrypts to obtain request Req and the first parameters for authentication X;
It is produced as the second key KR2 of true random number, and using the second key KR2 to Req | | X carries out symmetric cryptography and obtains {Req||X}KR2;Customer end B public key PKB is removed out from client public key pond according to the IDB for including in request Req;Utilize client B public key PKB encrypts the second key KR2 to obtain { KR2 } PKB;It combines { Req | | X } KR2 and { KR2 } PKB to obtain { Req ||X}KR2||{KR2}PKB;Will Req | | and X } KR2 | | { KR2 } PKB is sent to customer end B.
Receive the request that customer end B is sent and reply R2 | | and Req | | Y | | X | | S1 } KR3 | | { KR3 } PKQ2 parses to obtain R2, Req | | Y | | X | | S1 } KR3 and { KR3 } PKQ2;Second signature parameter R2 is counted by unsymmetrical key pointer function fkp Calculation obtains cipher key location pointer kp2;Clothes are taken out from the service station private key pond in memory according to cipher key location pointer kp2 Business station private key SKQ2;{ KR3 } PKQ2 is decrypted using service station private key SKQ2 to obtain third key KR3;Using decrypting To third key KR3 to Req | | Y | | X | | S1 KR3 decrypt to obtain Req | | Y | | X | | S1.
Customer end B public key PKB is obtained, using customer end B public key PKB to Req | | Y | | the first signature S1 of X is verified; If the verification passes, then it carries out in next step, on the contrary then authentication fails;It is produced as the third signature parameter R3 of true random number, And cipher key location pointer kp3 is calculated by unsymmetrical key pointer function fkp in third signature parameter R3;According to secret key bits It sets pointer kp3 and takes out private key SKQ3 in service station from the service station private key pond in memory;Utilize service station private key SKQ3 To Req | | Y | | X is signed to obtain four youngsters signature S2;
It is produced as the 4th key KR4 of true random number, and using the 4th key KR4 to Req | | Y | | X | | S2 | | R3 is carried out Symmetric cryptography obtain Req | | Y | | X | | S2 | | R3 } KR4;Visitor is taken out from client public key pond according to the IDA for including in request Req Family end A public key PKA;The 4th key KR4 is encrypted using customer end A public key PKA to obtain { KR4 } PKA;
Will Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA combine to obtain Req | | Y | | X | | S2 | | R3 } KR4 | | {KR4}PKA;Will Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA is sent to customer end A.
Receive the reply R4 that customer end A is sent | | and Req | | X | | Y | | S3 KR5 | | { KR5 } PKQ4 parse to obtain R4, Req | | X | | Y | | S3 } KR5 and { KR5 } PKQ4;4th signature parameter R4 is calculated by unsymmetrical key pointer function fkp To cipher key location pointer kp4;Service station is taken out from the service station private key pond in memory according to cipher key location pointer kp4 Private key SKQ4;{ KR5 } PKQ4 is decrypted to obtain the 5th key KR5 using service station private key SKQ4;It is obtained using decryption 5th key KR5 to Req | | X | | Y | | S3 KR5 decrypt to obtain Req | | X | | Y | | S3;
Customer end A public key PKA is obtained, using customer end A public key PKA to Req | | X | | the third signature S3 of Y is verified; If the verification passes, then it carries out in next step, on the contrary then authentication fails;It is produced as the 5th signature parameter R5 of true random number, And cipher key location pointer kp5 is calculated by unsymmetrical key pointer function fkp in the 5th signature parameter R5;According to secret key bits It sets pointer kp5 and takes out private key SKQ5 in service station from the service station private key pond in memory;Utilize service station private key SKQ5 To Req | | X | | Y is signed to obtain the 4th signature S4;
It is produced as the 6th key KR6 of true random number, and using the 6th key KR6 to Req | | X | | Y | | S4 | | R5 is carried out Symmetric cryptography obtain Req | | X | | Y | | S4 | | R5 } KR6;Customer end B public key PKB is taken out from client public key pond;Utilize client End B public key PKB encrypts the 6th key KR6 to obtain { KR6 } PKB.
Will Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB combine to obtain Req | | X | | Y | | S4 | | R5 } KR6 | | {KR6}PKB;Will Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB is sent to customer end B.
Quantum communications service station authentication method of the above-mentioned implementation in service station includes in method, by carrying out to technical characteristic It rationally derives, realizes the beneficial effect for the technical issues of being able to solve proposed in background technique.
The application provides the quantum communications service station identity identifying method based on unsymmetrical key pond, in one embodiment, Quantum communications service station authentication method includes:
Active direction service station sends the first information, the first certification that the first information is encrypted including the use of first key KR1 The parameter X and first key KR1 for utilizing service station public key encryption;
Service station, which obtains and decrypts first information Bao Houxiang passive side, sends the second information, and the second information is including the use of second First parameters for authentication X of key KR2 encryption and the second key KR2 for utilizing passive side's public key encryption;
Passive side obtains and generates the second parameters for authentication Y after decrypting the second information and utilize the first parameters for authentication X and second Parameters for authentication Y generates the first signature, sends third information to service station, third information is including the use of the of service station public key encryption Three key KR3 and the signature of the first parameters for authentication X, the second parameters for authentication Y and first for utilizing third key KR3 encryption;
After service station obtains, decrypts third information and verifying first is signed successfully, the first parameters for authentication X second is utilized to authenticate Parameter Y generates the second signature, sends the 4th information to masters, the 4th information is the 4th close including the use of masters public key encryption Key KR4 and the first parameters for authentication X encrypted using the 4th key KR4, the second parameters for authentication Y and the second signature;
After masters obtain, decrypt the 4th information and verifying second is signed successfully, recognized using the first parameters for authentication X, second It demonstrate,proves parameter Y and generates third signature;The 5th information is sent to service station, the 5th information is including the use of the 5th of service station public key encryption Key KR5 and the first parameters for authentication X, the second parameters for authentication Y and third signature for utilizing the 5th key KR5 encryption;
Service station obtains, the 5th information of decryption and verifies after third sign successfully, utilizes the first parameters for authentication X second certification Parameter Y generates the 4th signature verified for passive side, sends the 6th information to passive side, the 6th information is including the use of passive side's public affairs 6th key KR6 of key encryption and the first parameters for authentication X, the second parameters for authentication Y and the 4th encrypted using the 6th key KR6 Signature;
Passive side obtains, the 6th information of decryption and verifying the 4th are signed.
In concrete application scene, for ease of description, masters are assumed to be customer end A, and passive side is assumed to be client B, service station are service station Q.
Step 1: customer end A initiates the ID authentication request with customer end B
Include A in customer end A generation and the request Req, Req of the authentication of customer end B | | B and other necessity are believed Breath, such as generate the ID that uniqueness random number is requested as this.Customer end A generates the X and KR1 that two are true random number, visitor Family end A carries out symmetric cryptography to Req and X using KR1 and obtains { Req | | X } KR1.
Customer end A generates the R1 of a true random number, and the R1 of true random number is passed through unsymmetrical key pointer function fkp Cipher key location pointer kp1 is calculated.Customer end A is public from the service station in customer end A key card according to cipher key location pointer kp1 Public key PKQ1 in service station is taken out in key pond.Customer end A encrypts KR1 using PKQ1 to obtain { KR1 } PKQ1.
Customer end A combines R1, { Req | | X } KR1 and { KR1 } PKQ1 to obtain R1 | | and Req | | X } KR1 | | { KR1 } PKQ1. Customer end A is by R1 | | and Req | | X } KR1 | | { KR1 } PKQ1 is sent to quantum communications service station Q.
Step 2: quantum communications service station Q forwards the request to customer end B
The request R1 that service station Q is sent according to customer end A is received | | and Req | | X } KR1 | | { KR1 } PKQ1 parses to obtain R1, Req | | and X } KR1 and { KR1 } PKQ1.Service station Q calculates the R1 of true random number by unsymmetrical key pointer function fkp Obtain cipher key location pointer kp1.Service station Q is according to cipher key location pointer kp1 from the service station private key pond in the key card of service station Middle taking-up service station private key SKQ1.Service station Q is decrypted to obtain KR1 using SKQ1 to { KR1 } PKQ1.Service station Q utilizes solution Close obtained KR1 decrypts to obtain Req and X to { Req | | X } KR1.
Service station Q generates the KR2 of a true random number, and using KR2 to Req | | X progress symmetric cryptography obtain Req | | X}KR2.Service station Q removes out the public key PKB of customer end B according to the IDB for including in Req from client public key pond.Service station Q is utilized PKB encrypts KR2 to obtain { KR2 } PKB.
Service station Q combines { Req | | X } KR2 and { KR2 } PKB to obtain { Req | | X } KR2 | | { KR2 } PKB.Service station Q will Req | | and X } KR2 | | { KR2 } PKB is sent to customer end B.
Step 3: customer end B replys request
Customer end B receives ID authentication request { Req | | X } KR2 of service station Q forwarding | | { KR2 } PKB and parsing is obtained Req | | and X } KR2 and { KR2 } PKB.Customer end B decrypts to obtain KR2 using customer end B private key SKB to { KR2 } PKB.Customer end B { Req | | X } KR2 is decrypted to obtain Req and X using KR2.
Customer end B generates the Y of a true random number.Customer end B is using customer end B private key SKB to Req | | Y | | X is signed Name obtains S1.Customer end B generates the KR3 of a true random number, and using KR3 to Req | | Y | | X | | S1 carries out symmetric cryptography and obtains To Req | | Y | | X | | S1 } KR3.Customer end B generates the R2 of a true random number again, and true random number R2 is passed through asymmetric close Cipher key location pointer kp2 is calculated in key pointer function fkp.Customer end B is according to cipher key location pointer from customer end B key card Service station public key pond in take out service station public key PKQ2.Customer end B encrypts KR3 using PKQ2 to obtain { KR3 } PKQ2.
Customer end B by R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQ2 combine to obtain R2 | | Req | | Y | | X | | S1 KR3||{KR3}PKQ2.Request is replied R2 by customer end B | | and Req | | Y | | X | | S1 } KR3 | | it is logical that { KR3 } PKQ2 is sent to quantum Telecommunications services station Q.
Step 4: request is replied and is forwarded to customer end A by quantum communications service station Q
Service station Q replys R2 according to the request that customer end B is sent is received | | and Req | | Y | | X | | S1 } KR3 | | { KR3 } PKQ2 parse to obtain R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQ2.Service station Q passes through the R2 of true random number asymmetric Cipher key location pointer kp2 is calculated in key indicator function fkp.Service station Q is according to cipher key location pointer kp2 from service station key Private key SKQ2 in service station is taken out in service station private key pond in card.Service station Q is decrypted to obtain using SKQ2 to { KR3 } PKQ2 KR3.Service station Q using the obtained KR3 of decryption to Req | | Y | | X | | S1 KR3 decrypt to obtain Req | | Y | | X | | S1.
Service station Q obtains the public key PKB of customer end B, using public key PKB to Req | | Y | | the signature S1 of X is verified.Such as Fruit is verified, then carries out in next step, on the contrary then authentication fails.Service station Q generates the R3 of a true random number, and will be true Cipher key location pointer kp3 is calculated by unsymmetrical key pointer function fkp in the R3 of random number.Service station Q is according to secret key bits It sets pointer kp3 and takes out private key SKQ3 in service station from the service station private key pond in the key card of service station.Service station Q utilizes SKQ3 pairs Req | | Y | | X is signed to obtain S2.
Service station Q generates the KR4 of a true random number, and using KR4 to Req | | Y | | X | | S2 | | R3 carries out symmetric cryptography Obtain Req | | Y | | X | | S2 | | R3 } KR4.Service station Q takes out customer end A from client public key pond according to the IDA for including in Req Public key PKA.Service station Q encrypts KR4 using PKA to obtain { KR4 } PKA.
Service station Q will Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA combine to obtain Req | | Y | | X | | S2 | | R3 } KR4||{KR4}PKA.Service station Q general Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA is sent to customer end A.
Step 5: customer end A Authentication Client B is simultaneously replied
Customer end A receive service station Q forwarding ID authentication request reply Req | | Y | | X | | S2 | | R3 } KR4 | | { KR4 } PKA and parsing obtain Req | | Y | | X | | S2 | | R3 } KR4 and { KR4 } PKA.Customer end A utilizes customer end A private key SKA { KR4 } PKA is decrypted to obtain KR4.Customer end A using KR4 to Req | | Y | | X | | S2 | | R3 } KR4 decrypt to obtain Req | | Y | | X ||S2||R3。
Cipher key location pointer is calculated by unsymmetrical key pointer function fkp in the R3 of true random number by customer end A kp3.Customer end A takes out service station public key according to cipher key location pointer kp3 from the service station public key pond in customer end A key card PKQ3.Using public key PKQ3 to Req | | Y | | the signature S2 of X is verified.If the verification passes, then carry out in next step, it is on the contrary then Authentication failure.
Customer end A is using customer end A private key SKA to Req | | X | | Y is signed to obtain S3.Customer end A generates one very The KR5 of random number, and using KR5 to Req | | X | | Y | | S3 carry out symmetric cryptography obtain Req | | X | | Y | | S3 KR5.Client A generates the R4 of a true random number again, and key is calculated by unsymmetrical key pointer function fkp in the R4 of true random number Position indicator pointer kp4.Customer end A takes out clothes according to cipher key location pointer kp4 from the service station public key pond in customer end A key card Business station public key PKQ4.Customer end A encrypts KR5 using PKQ4 to obtain { KR5 } PKQ4.
Customer end A by R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQ4 combine to obtain R4 | | Req | | X | | Y | | S3 KR5||{KR5}PKQ4.Customer end A will reply R4 | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQ4 is sent to quantum communications clothes Business station Q.
Step 6: reply is forwarded to customer end B by quantum communications service station Q
The reply R4 that service station Q is sent according to customer end A is received | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQ4 solution Analysis obtain R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQ4.Service station Q refers to the R4 of true random number by unsymmetrical key Cipher key location pointer kp4 is calculated in needle function fkp.Service station Q is according to cipher key location pointer kp4 from the key card of service station Private key SKQ4 in service station is taken out in the private key pond of service station.Service station Q is decrypted to obtain KR5 using SKQ4 to { KR5 } PKQ4.Clothes Business station Q using the obtained KR5 of decryption to Req | | X | | Y | | S3 KR5 decrypt to obtain Req | | X | | Y | | S3.
Service station Q obtains the public key PKA of customer end A, using public key PKA to Req | | X | | the signature S3 of Y is verified.Such as Fruit is verified, then carries out in next step, on the contrary then authentication fails.Service station Q generates the R5 of a true random number, and will be true Cipher key location pointer kp5 is calculated by unsymmetrical key pointer function fkp in the R5 of random number.Service station Q is according to secret key bits It sets pointer kp5 and takes out private key SKQ5 in service station from the service station private key pond in the key card of service station.Service station Q utilizes SKQ5 pairs Req | | X | | Y is signed to obtain S4.
Service station Q generates the KR6 of a true random number, and using KR6 to Req | | X | | Y | | S4 | | R5 carries out symmetric cryptography Obtain Req | | X | | Y | | S4 | | R5 } KR6.Service station Q removes out the public key PKB of customer end B from client public key pond.Service station Q KR6 is encrypted using PKB to obtain { KR6 } PKB.
Service station Q will Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB combine to obtain Req | | X | | Y | | S4 | | R5 } KR6||{KR6}PKB.Service station Q general Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB is sent to customer end B.
Step 7: customer end B Authentication Client A
Customer end B receive service station Q forwarding ID authentication request reply Req | | X | | Y | | S4 | | R5 } KR6 | | { KR6 } PKB and parsing obtain Req | | X | | Y | | S4 | | R5 } KR6 and { KR6 } PKB.Customer end B utilizes customer end B private key SKB { KR6 } PKB is decrypted to obtain KR6.Customer end B using KR6 to Req | | X | | Y | | S4 | | R5 } KR6 decrypt to obtain Req | | X | | Y ||S4||R5。
Cipher key location pointer is calculated by unsymmetrical key pointer function fkp in the R5 of true random number by customer end B kp5.Customer end B takes out service station public key according to cipher key location pointer kp5 from the service station public key pond in customer end B key card PKQ5.Using public key PKQ5 to Req | | X | | the signature S4 of Y is verified.If the verification passes, then authentication success is carried out, On the contrary then authentication fails.
Above-mentioned quantum communications service station authentication method includes, by rationally being derived to technical characteristic, realizing in method The beneficial effect for the technical issues of being able to solve proposed in background technique.
Disclosed herein as well is the quantum communications service station identity identifying methods based on unsymmetrical key pond, in an embodiment In, masters and passive side are located in different service station systems, and for ease of description, masters are assumed to be customer end A, Passive side is assumed to be customer end B, and two service stations are respectively service station QA and service station QB, and customer end A and service station QA's is logical Believe and verification process is consistent in above-mentioned technical proposal therefore is not stating;The communication of customer end B and service station QB and recognize Therefore card process is consistent in above-mentioned technical proposal no longer to be stated, hereafter describe emphasis between service station QA and service station QB Communication process.
By service station, QA is received for request after the request of customer end A is forwarded to service station QB:
The request R1 that service station QA is sent according to customer end A is received | | and Req | | X } KR1 | | { KR1 } PKQA1 is parsed To R1, { Req | | X } KR1 and { KR1 } PKQA1.The R1 of true random number is passed through unsymmetrical key pointer function fkp by service station QA Cipher key location pointer kp1 is calculated.Service station QA is according to cipher key location pointer kp1 from the service station in the QA key card of service station Service station QA private key SKQA1 is taken out in private key pond.Service station QA is decrypted to obtain KR1 using SKQA1 to { KR1 } PKQA1.Clothes Business station QA decrypts to obtain Req and X using the obtained KR1 of decryption to { Req | | X } KR1.
The key pair Req and X that service station QA is negotiated using QKD generate message authentication code and by message authentication codes and Req | | X Quantum communications service station QB is sent to after symmetric cryptography.In the application, the message authentication algorithm for generating message authentication code is excellent It is selected as hmac algorithm.
For request reply is forwarded to service station QA after replying by the request that QB receives customer end B by service station:
Service station QB replys R2 according to the request that customer end B is sent is received | | and Req | | Y | | X | | S1 } KR3 | | { KR3 } PKQB1 parse to obtain R2, Req | | Y | | X | | S1 KR3 and { KR3 } PKQB1.It is non-right that service station QB passes through the R2 of true random number Claim key indicator function fkp that cipher key location pointer kp2 is calculated.Service station QB is according to cipher key location pointer kp2 from service station Service station QB private key SKQB1 is taken out in service station private key pond in QB key card.Service station QB is using SKQB1 to { KR3 } PKQB1 It is decrypted to obtain KR3.Service station QB using the obtained KR3 of decryption to Req | | Y | | X | | S1 KR3 decrypt to obtain Req | | Y | |X||S1}。
Service station QB obtains the public key PKB of customer end B, using public key PKB to Req | | Y | | the signature S1 of X is verified. If the verification passes, then it carries out in next step, on the contrary then authentication fails.
The key pair Req that service station QB utilizes QKD to negotiate | | Y | | X generates message authentication code and by message authentication code and Req | | Y | | quantum communications service station QA is sent to after X symmetric cryptography.
Reply signature after receiving the signature of customer end A verifying customer end B with service station QA will reply the amount of being forwarded to of signing For sub- communication service station QB:
The reply R4 that service station QA is sent according to customer end A is received | | and Req | | X | | Y | | S3 } KR5 | | { KR5 } PKQA3 Parsing obtain R4, Req | | X | | Y | | S3 KR5 and { KR5 } PKQA3.Service station QA passes through the R4 of true random number asymmetric close Cipher key location pointer kp4 is calculated in key pointer function fkp.Service station QA is close from service station QA according to cipher key location pointer kp4 Service station QA private key SKQA3 is taken out in service station private key pond in key card.Service station QA carries out { KR5 } PKQA3 using SKQ4 Decryption obtains KR5.Service station QA using the obtained KR5 of decryption to Req | | X | | Y | | S3 KR5 decrypt to obtain Req | | X | | Y | | S3}。
Service station Q obtains the public key PKA of customer end A, using public key PKA to Req | | X | | the signature S3 of Y is verified.Such as Fruit is verified, then carries out in next step, on the contrary then authentication fails.
The key pair Req that service station QA utilizes QKD to negotiate | | X | | Y generates message authentication code and by message authentication code and Req | | X | | quantum communications service station QB is sent to after Y symmetric cryptography.
In one embodiment, the first signature is generated using passive side's private key;Second signature and the 4th signature utilize service station Square private key generates;Third signature is generated using masters private key.
The design makes full use of the Public Key Cryptographic Systems in asymmetric encryption that can also be easily carried out digital label It the advantages of name, is improved efficiency while the safety for ensuring authentication procedures.
In one embodiment, masters are equipped with masters key card, are stored with service station public key in masters key card, Masters public key and masters private key;Passive side is equipped with passive side's key card, is stored with service station public affairs in dynamic side's key card Key, passive side's public key and passive side's private key;Service station is equipped with service station key card, is stored with service in the key card of service station It stands private key, masters public key and passive side's public key.
The key card side of issuing in the application is the supervisor side of key card, the generally administrative department of group, such as certain The administrative department of enterprise or public institution;The member that the key card side of being awarded is managed by the supervisor side of key card, generally certain The employees at different levels of enterprise or public institution.Supervisor side's application that masters or the client of passive side arrive key card first is opened an account. After masters or the client of passive side carry out registering granted, key card will be obtained (there is unique key card ID). Key card stores client enrollment register information.Public affairs in the client key card of masters or passive side under same service station Key pond is all downloaded from down the same Key Management server, and in the client key card of its each masters or passive side issued The public key pond of storage is completely the same.Preferably, the pool of keys size stored in key card can be 1G, 2G, 4G, 8G, 16G, 32G, 64G, 128G, 256G, 512G, 1024G, 2048G, 4096G etc..
Key card is developed from smart card techniques, is combined with real random number generator (preferably quantum random number Generator), cryptological technique, the authentication of hardware security isolation technology and encryption and decryption product.The embedded chip of key card and Operating system can provide the functions such as secure storage and the cryptographic algorithm of key.Due to it with independent data-handling capacity and Good safety, key card become the safety barrier of private key and pool of keys.Each key card has the protection of hardware PIN code, PIN code and hardware constitute two necessary factors that user uses key card.I.e. so-called " double factor authentication, " user is only simultaneously The key card and user's PIN code for saving relevant authentication information are obtained, it just can be with login system.Even if the PIN code of user is let out Dew, as long as the key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the key card of user is lost It loses, the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.
In the application, key card is divided into service station key card and client key card, and client key card includes masters Key card and passive side's key card.As shown in figure 1, the key zone of service station key card is mainly stored with client public key pond and service It stands private key pond;In Fig. 2, the key zone of client key card is mainly stored with service station public key pond and a pair of of public private key pair.Institute Key card is stated to be issued by Key Management server.
Key Management server can select a kind of algorithm for not only having supported encryption and decryption but also support signature before issuing key card. Key Management server generates respective numbers according to the quantity of client and meets the number of the algorithm specification as private key and public key. Key Management server generates the ID of respective numbers, and chooses the public private key pair of respective numbers, and public key therein and ID is taken to carry out Combination obtains ID/ public key, and formation public key pond file in same file is written in the form of ID/ public key, i.e., above-mentioned client is public Key pond.Meanwhile corresponding private key is also written to formation private key pond file in file by Key Management server in an identical manner, That is client private key pond.The ID of each private key is identical as the ID of corresponding public key in client public key pond in client private key pond.It is close Key management server generates the number for largely meeting the algorithm specification as private key and public key again.Key Management server will be public Private key, which is respectively written into two files, forms service station public key pond and service station private key pond.Public key in the public key pond of service station with The private key of same position is corresponding in the private key pond of service station.The first key card issued is defined as service station by Key Management server Key card, and by service station private key pond and client public key pond and related algorithm parameter write-in key card key zone.Key The subsequent key card issued of management server is client key card.Key Management server random number selection one is unallocated ID distribute to key card, and public and private key and the service station public key pond of identical ID are taken from client public key pond and client private key pond The key zone of key card is written, relevant parameter is written in key card together.
In one embodiment, a kind of computer equipment is provided, such as computer equipment can be masters hereafter Equipment, passive method, apparatus or service station equipment, internal structure chart can be as shown in figure Y.The computer equipment includes passing through to be Processor, memory, network interface, display screen and the input unit of bus of uniting connection.Wherein, the processor of the computer equipment For providing calculating and control ability.The memory of the computer equipment includes non-volatile memory medium, built-in storage.This is non- Volatile storage medium is stored with operating system and computer program.The built-in storage is the operation in non-volatile memory medium The operation of system and computer program provides environment.The network interface of the computer equipment is used to pass through network with external terminal Connection communication.To realize a kind of XXX method when the computer program is executed by processor.The display screen of the computer equipment can be with It is liquid crystal display or electric ink display screen, the input unit of the computer equipment can be the touch covered on display screen Layer, is also possible to the key being arranged on computer equipment shell, trace ball or Trackpad, can also be external keyboard, touch-control Plate or mouse etc..
It will be understood by those skilled in the art that structure shown in Fig. 3, only part relevant to application scheme is tied The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In another embodiment of the application, a kind of active method, apparatus is provided, including memory and processor, memory are deposited Computer program is contained, processor realizes quantum communications service station authenticating party in the respective embodiments described above when executing computer program The step of method.
In another embodiment of the application, a kind of passive method, apparatus is provided, including memory and processor, memory are deposited Computer program is contained, processor realizes quantum communications service station authenticating party in the respective embodiments described above when executing computer program The step of method.
In another embodiment of the application, a kind of service station equipment is provided, including memory and processor, memory are deposited Computer program is contained, processor realizes quantum communications service station authenticating party in the respective embodiments described above when executing computer program The step of method.
Specific restriction about active method, apparatus, passive method, apparatus and service station equipment and system may refer to above In restriction for quantum communications service station authentication method, details are not described herein.Modules in above-mentioned active method, apparatus can It is realized fully or partially through software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of meter It calculates in the processor in machine equipment, can also be stored in a software form in the memory in computer equipment, in order to handle Device, which calls, executes the corresponding operation of the above modules.
In another embodiment of the application, provides a kind of quantum communications service station identity based on unsymmetrical key pond and recognize Card system, including it is equipped with masters, passive side, service station and communication network;The masters are configured with masters key card, Service station public key, masters public key and masters private key are stored in the masters key card;The passive side is configured with Passive side's key card is stored with service station public key, passive side's public key and passive side's private key in dynamic side's key card;The clothes Business station is configured with service station key card, is stored with service station private key in the service station key card, masters public key and passive Square public key;
The masters, passive side and service station realize that quantum communications take in the respective embodiments described above by communication network The step of business station authentication method.
Each technical characteristic of above embodiments can be combined arbitrarily, for simplicity of description, not to above-described embodiment In each technical characteristic it is all possible combination be all described, as long as however, the combination of these technical characteristics be not present lance Shield all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application Range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (10)

1. the quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in masters, which is characterized in that institute Stating quantum communications service station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1, and the institute using service station public key encryption are sent to service station State first key KR1;The first parameters for authentication X is used to after service station is forwarded to passive side generate the first label for passive side Name;
The 4th key KR4 of utilization masters public key encryption from service station is obtained, the encrypted using the 4th key KR4 One parameters for authentication X, the signature of the second parameters for authentication Y and second that passive side provides;Second signature is that service station certification comes It is generated from after the first signature of passive side using the first parameters for authentication X and the second parameters for authentication Y;
After decrypting and verifying second signature, third is generated using the first parameters for authentication X and the second parameters for authentication Y and is signed;
It sends to the service station using the 5th key KR5 of service station public key encryption and is encrypted using the 5th key KR5 The first parameters for authentication X, the second parameters for authentication Y and the third signature;The third signature in the service station for recognizing The 4th signature authenticated for passive side is generated after card.
2. the quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in passive side, which is characterized in that institute Stating quantum communications service station authentication method includes:
The the first parameters for authentication X and utilize passively that the masters of utilization second key KR2 encryption of the acquisition from service station provide Second key KR2 of square public key encryption generates the using the second parameters for authentication Y that the first parameters for authentication X and one's own side generate One signature;
The for sending the third key KR3 using service station public key encryption to service station and being encrypted using the third key KR3 The signature of one parameters for authentication X, the second parameters for authentication Y and first;First signature after the certification of the service station for generating For the second signature of masters certification;
The 6th key KR6 using passive side's public key encryption from service station is obtained, utilizes the first of the 6th key KR6 encryption Parameters for authentication X, the second parameters for authentication Y and the 4th signature;4th signature is third of the service station certification from masters It is generated after signature using the first parameters for authentication X and the second parameters for authentication Y, the third signature is masters certification second label It is generated after name;
It decrypts and verifies the 4th signature.
3. the quantum communications service station identity identifying method based on unsymmetrical key pond is implemented in service station, which is characterized in that institute Stating quantum communications service station authentication method includes:
The the first parameters for authentication X encrypted using first key KR1 from masters is obtained, and utilizes service station public key encryption The first key KR1, decrypt simultaneously to passive side send using the second key KR2 encrypt the first parameters for authentication X and utilization Second key KR2 of passive side's public key encryption;
Obtain encrypting using the third key KR3 of service station public key encryption and using the third key KR3 from passive side The first parameters for authentication X, passive side provide the second parameters for authentication Y and first signature, decrypt and verify it is described first signature After success, the second signature is generated using first parameters for authentication X the second parameters for authentication Y, is sent to masters and utilizes masters public key 4th key KR4 of encryption and the first parameters for authentication X encrypted using the 4th key KR4, the second parameters for authentication Y and the second label Name;
Obtain encrypting using the 5th key KR5 of service station public key encryption and using the 5th key KR5 from masters The first parameters for authentication X, the second parameters for authentication Y and the third signature that provides of masters, decrypt and verify third signature After success, the 4th signature for passive side verifying is generated using first parameters for authentication X the second parameters for authentication Y, to passive side The the first parameters for authentication X for sending the 6th key KR6 using passive side's public key encryption and being encrypted using the 6th key KR6, second The signature of parameters for authentication Y and the 4th.
4. the quantum communications service station identity identifying method based on unsymmetrical key pond, which is characterized in that the quantum communications clothes Business station authentication method include:
Active direction service station sends the first information, the first certification that the first information is encrypted including the use of first key KR1 The parameter X and first key KR1 for utilizing service station public key encryption;
The service station, which obtains and decrypts the first information Bao Houxiang passive side, sends the second information, and second information includes Using the second key KR2 the first parameters for authentication X encrypted and utilize the second key KR2 of passive side's public key encryption;
The passive side obtains and generates the second parameters for authentication Y after decrypting second information and utilize first parameters for authentication X and the second parameters for authentication Y generates the first signature, sends third information to service station, the third information is including the use of service station The third key KR3 of public key encryption and using third key KR3 encryption the first parameters for authentication X, the second parameters for authentication Y with And first signature;
The service station obtain, decrypt the third information and verify described first sign successfully after, utilize the first parameters for authentication X Second parameters for authentication Y generates the second signature, sends the 4th information to masters, the 4th information is including the use of masters public key 4th key KR4 of encryption and the first parameters for authentication X encrypted using the 4th key KR4, the second parameters for authentication Y and the second label Name;
The masters obtain, decrypt the 4th information and verify described second sign successfully after, utilize the first parameters for authentication X, the second parameters for authentication Y generates third signature;The 5th information is sent to the service station, the 5th information is including the use of service Stand the 5th key KR5 of public key encryption and the first parameters for authentication X, the second parameters for authentication Y of utilization the 5th key KR5 encryption And the third signature;
The service station obtains, decrypts the 5th information and verifies after the third signs successfully, utilizes the first parameters for authentication X Second parameters for authentication Y generates the 4th signature for passive side verifying, sends the 6th information, the 6th information to passive side The 6th key KR6 including the use of passive side's public key encryption and the first parameters for authentication X using the 6th key KR6 encryption, second The signature of parameters for authentication Y and the 4th;
The passive side obtains, decrypts the 6th information and verify the 4th signature.
5. such as the described in any item quantum communications service station identity identifying methods based on unsymmetrical key pond of Claims 1-4, It is characterized in that, first signature is generated using passive side's private key;Second signature and the 4th signature utilize service The side's of station private key generates;The third signature is generated using masters private key.
6. such as the described in any item quantum communications service station identity identifying methods based on unsymmetrical key pond of Claims 1-4, It is characterized in that, the masters are configured with masters key card, it is stored with service station public key in the masters key card, it is main Dynamic side's public key and masters private key;The passive side is configured with passive side's key card, is stored with clothes in dynamic side's key card Business station public key, passive side's public key and passive side's private key;The service station is configured with service station key card, the service station key Service station private key, masters public key and passive side's public key are stored in card.
7. a kind of active method, apparatus, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station authentication method described in claim 1 when executing the computer program Step.
8. a kind of passive method, apparatus, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station authentication method described in claim 2 when executing the computer program Step.
9. a kind of service station equipment, including memory and processor, the memory are stored with computer program, feature exists In the processor realizes quantum communications service station authentication method described in claim 3 when executing the computer program Step.
10. the quantum communications service station identity authorization system based on unsymmetrical key pond, which is characterized in that including being equipped with actively Side, passive side, service station and communication network;The masters are configured with masters key card, in the masters key card It is stored with service station public key, masters public key and masters private key;The passive side is configured with passive side's key card, described dynamic Service station public key, passive side's public key and passive side's private key are stored in square key card;The service station is close configured with service station Key card is stored with service station private key, masters public key and passive side's public key in the service station key card;
The masters, passive side and service station realize that quantum communications described in claim 4 take by the communication network The step of business station authentication method.
CN201910402444.0A 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool Active CN110176989B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910402444.0A CN110176989B (en) 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910402444.0A CN110176989B (en) 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool

Publications (2)

Publication Number Publication Date
CN110176989A true CN110176989A (en) 2019-08-27
CN110176989B CN110176989B (en) 2023-03-14

Family

ID=67691057

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910402444.0A Active CN110176989B (en) 2019-05-15 2019-05-15 Quantum communication service station identity authentication method and system based on asymmetric key pool

Country Status (1)

Country Link
CN (1) CN110176989B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493010A (en) * 2019-09-24 2019-11-22 南京邮电大学 Mailing system and receiving/transmission method based on Quantum Digital Signature Research
CN113452687A (en) * 2021-06-24 2021-09-28 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key
WO2023077280A1 (en) * 2021-11-02 2023-05-11 Huawei Technologies Co., Ltd. Certificate-less authentication and secure communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond
CN109660338A (en) * 2018-11-19 2019-04-19 如般量子科技有限公司 Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450623A (en) * 2018-10-16 2019-03-08 如般量子科技有限公司 Anti- quantum calculation cryptographic key negotiation method based on unsymmetrical key pond
CN109660338A (en) * 2018-11-19 2019-04-19 如般量子科技有限公司 Anti- quantum calculation digital signature method and anti-quantum calculation digital signature system based on pool of symmetric keys

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493010A (en) * 2019-09-24 2019-11-22 南京邮电大学 Mailing system and receiving/transmission method based on Quantum Digital Signature Research
CN110493010B (en) * 2019-09-24 2022-03-15 南京邮电大学 Mail receiving and sending method of mail system based on quantum digital signature
CN113452687A (en) * 2021-06-24 2021-09-28 中电信量子科技有限公司 Method and system for encrypting sent mail based on quantum security key
WO2023077280A1 (en) * 2021-11-02 2023-05-11 Huawei Technologies Co., Ltd. Certificate-less authentication and secure communication

Also Published As

Publication number Publication date
CN110176989B (en) 2023-03-14

Similar Documents

Publication Publication Date Title
Tsai Efficient multi-server authentication scheme based on one-way hash function without verification table
CN110519046A (en) Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD
CN109728906B (en) Anti-quantum-computation asymmetric encryption method and system based on asymmetric key pool
CN105553654B (en) Key information processing method and device, key information management system
CN101815091A (en) Cipher providing equipment, cipher authentication system and cipher authentication method
CN108566273A (en) Identity authorization system based on quantum network
CN109936456B (en) Anti-quantum computation digital signature method and system based on private key pool
CN109921905B (en) Anti-quantum computation key negotiation method and system based on private key pool
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN109951274A (en) The point-to-point method for message transmission of anti-quantum calculation and system based on private key pond
CN109787758A (en) Anti- quantum calculation MQV cryptographic key negotiation method and system based on private key pond and Elgamal
CN110176989A (en) Quantum communications service station identity identifying method and system based on unsymmetrical key pond
CN110535626A (en) The quantum communications service station secret communication method and system of identity-based
CN108769029A (en) It is a kind of to application system authentication device, method and system
CN109728905A (en) Anti- quantum calculation MQV cryptographic key negotiation method and system based on unsymmetrical key pond
CN109905229A (en) Anti- quantum calculation Elgamal encryption and decryption method and system based on group's unsymmetrical key pond
CN109495244A (en) Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
CN110866754A (en) Pure software DPVA (distributed data authentication and privacy infrastructure) identity authentication method based on dynamic password
CN110098925A (en) Based on unsymmetrical key pond to and random number quantum communications service station cryptographic key negotiation method and system
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN110380859B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol
CN110266483B (en) Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD
CN201717885U (en) Code providing equipment and code identification system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant